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SPYWARE: WHAT YOU DON’T KNOW CAN 
HURT YOU 


THURSDAY, APRIL 29, 2004 

House of Representatives, 

Committee on Energy and Commerce, 

Subcommittee on Commerce, Trade, 

AND Consumer Protection, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 10 a.m., in room 
2123, Rayburn House Office Building, Hon. Cliff Stearns (chair- 
man) presiding. 

Members present: Representatives Stearns, Upton, Shimkus, 
Shadegg, Bass, Bono, Otter, Barton (ex officio), Schakowsky, and 
Strickland. 

Alsp present: Representatives Inslee and Greenwood. 

Staff present: David L. Cavicke, majority counsel; Chris Leahy, 
policy coordinator; Shannon Jacquot, majority counsel; Brian 
McCullough, majority professional staff; Jill Latham, legislative 
clerk; William Carty, legislative clerk; and Consuela Washington, 
minority counsel. 

Mr. Stearns. Good morning. I am pleased to welcome all of you 
to the Commerce, Trade and Consumer Protection Subcommittee 
hearing on spyware. Spyware is loosely defined as malicious soft- 
ware, downloaded from the internet that spies on the computer 
owner or user, usually to provide information to third parties. The 
Federal Trade Commission has said that spyware is software, that 
aids in gathering information about a person or organization with- 
out their knowledge and that may send such information to an- 
other entity without the consumer’s consent or that assert control 
over a computer without the consumer’s knowledge. A spyware rel- 
ative, known as adware, enables the computer owner or user to re- 
ceive a stream of ads and other marketing information usually 
based on data the software has collected about the user. Adware 
or ad supported software is frequently bundled with free internet 
software or free ware. Legitimate adware allows the user knowl- 
edge and consent about the software and frequently provides an 
adware free version for purchase. More noxious adware versions, 
however, can be downloaded without consent or through deceptive 
means, essentially making them spyware in themselves. 

My colleagues, as we speak, spyware and adware software pro- 
grams are growing at a very, very rapid rate. According to the con- 
sumer security firm, McAfee, these software programs have grown 
in number from about 2 million in August 2003 to over 14 million 
currently. 
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As further proof of the potential scale of this problem, the Na- 
tional Cyber Security Alliance has estimated that over 90 percent 
of users had some form of adware or software, spyware on their 
computers and yet, most were unaware of it. In worse cases, the 
more malicious varieties of spyware can record keystrokes and 
compromise personal information, including passwords and Social 
Security Numbers. 

The simple act of downloading a desired program from the inter- 
net can not only open the door on your personal computer and your 
most private information, but also can allow spies to effectively 
take up resident in your personal computer. Your personal prop- 
erty, I might add, without your knowledge and without your con- 
sent. 

Then after sneaking into your computer, some of these malicious 
spyware programs can act as snoop, prying into your private life 
or thieves, stealing personal information or as pornography dealers, 
exposing your children to obscene online material. 

If and when you finally discover the spy lurking in your personal 
computer, the damage is already done. In the best cases, the tech- 
nology that enables spyware also can serve as a first line of defense 
against obscene internet material by tracking website activity and 
filtering out the garbage. Other forms of the technology, like legiti- 
mate adware, are authorized by the consumer and provides busi- 
nesses a new and efficient means of reaching potential customers 
with less expensive goods and services. 

While some would have us to find spyware with technical param- 
eters, others believe that it is not the technology tool that needs 
to be defined and targeted. It’s the unscrupulous individuals prey- 
ing on the consumer from these programs. 

Clearly, no matter the definition we create today, it is always 
reprehensible when someone intentionally downloads secret soft- 
ware into a personal computer that is designed to steal information 
or trick us into opening the doors into our private lives. 

To try to address this egregious internet activity, Ms. Bono of 
California, has introduced legislation to enhance spyware disclo- 
sures, root out this deceptive and fraudulent and create account- 
ability. Her bill require the computer users receive clear and con- 
spicuous notice prior to downloading spyware and that all third 
parties provide their identity. 

I sincerely commend her for her leadership on this issue. It is my 
hope that we can reach bipartisan consensus on legislation that 
will protect consumers from unwittingly being spied upon. 

With the help of our distinguished panel of witnesses, one of our 
most important tasks is to try to establish the boundaries of what 
is clearly legitimate and what is clearly reprehensible. We then 
need to explore the murky area in the middle where cases aren’t 
so stark and are not so clear-cut, especially in cases where con- 
sumers are duped with lengthy and confusing license agreements, 
website trickery and exploitation of weak, personal computer secu- 
rity. 

The ultimate challenge, therefore, is to investigate ways indus- 
try, consumers and Congress can work together to rid out our on- 
line marketplace of the bad apples, while preserving legitimate 
uses for this software technology. 
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And finally, my colleagues, our panel today will help us under- 
stand how spyware and adware programs are distributed in com- 
merce, both legitimate and fraudulent. The scope of the privacy 
and security risk posed by this software, its effects on economic 
productivity and the need for Federal legislation. And I think many 
of you know that the State of Utah has already passed a spyware 
bill. The State of California and New York are presently looking at 
that. 

I welcome our witnesses today and I look forward to their testi- 
mony and with that, I call on the ranking member for her opening 
statement. 

Ms. ScHAKOWSKY. Thank you. Chairman Stearns. One of the 
great things about this job is that you learn something new every 
day. So that either indicates that I am way behind the curve here 
or that perhaps the Congress is getting a grip on an emerging 
problem. Because increasingly people are finding that their home 
web pages are changed or their computers are sluggish, we get pop 
up ads that won’t go away no matter how many times they try to 
close them. They find software on their computer they didn’t install 
and they can’t uninstall. Their computers are no longer their own 
and they can’t figure out why. 

They think that the problem is with their computer, with a pro- 
gram they installed or with their internet service provider, but 
more and more often, it’s becoming clear that they are the unwit- 
ting victims of spyware. Because they clicked on the wrong web 
page or signed an agreement to download one program, spyware 
has made it on to their computer. 

While the above examples can be written off by some as merely 
annoying, there are serious privacy and security issues at stake. 
The tracking capability of spyware programs can be so powerful 
that it can record every keystroke computer users enter. It can 
take pictures of personal computer screens. It can snatch personal 
information from consumers’ hard drives. People can see their bank 
account numbers, passwords and other personal information stolen 
because they quite innocently went to a bad website or clicked an 
agreement they didn’t know they shouldn’t. 

While some programs called spyware can have legitimate pur- 
poses like allowing for access to online newspapers without having 
to register every time you want to read it, truly nefarious spyware 
uses software and applications in ways that cannot be defended. 
Spyware purveyors engaged in unfair and deceptive practices. They 
take personal information without permission. They exploit soft- 
ware vulnerabilities and co-op’d others’ computers. 

Fortunately, we do have a number of laws on the books that we 
can use against spyware. However, there has been virtually no en- 
forcement of the laws. Spyware transmitters know how to cover 
their tracks and technology changes every day. It makes it very 
hard to find those who are to blame, but it can be done and we 
need to pursue enforcement of laws already on the books. 

And we also need to explore legislation and other responses to 
deal with the inevitable loopholes that exist in the law because of 
the ever-evolving nature of technology. That’s why I’m glad we’re 
here and glad I’m here today to start discussing the best way we 
as legislators can address these issues. 
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We also need to get the word out to consumers so that they know 
what is really wrong with their computers and so that they can 
protect themselves from online predators. We should build on the 
consumer awareness efforts of the FTC and Center for Democracy 
and Technology as a right of their pursuing comments about how 
spyware has affected people. They have heard from hundreds of 
consumers concerned about spyware’s invasion into their privacy. 
From these comments and very technical investigative follow-up, 
the Center for Democracy and Technology has filed complaints with 
the FTC about two spyware bad actors. I’m quite pleased that we 
have distinguished witnesses representing the broad spectrum of 
affected parties and as Chairman Stearns mentioned, we have the 
industry regulators and consumer groups and I look forward to 
hearing from all of you. 

Thank you. 

Mr. Stearns. I thank my colleague. The distinguished chairman 
of the full committee, the gentleman from Texas, Mr. Barton. 

Chairman Barton. Well, thank you. Chairman Stearns, for hold- 
ing this hearing and I want to thank Congresswoman Bono for in- 
troducing this piece of legislation. 

We checked our committee computers this week and found 167 
spyware programs on it. I told that at a meeting breakfast a couple 
of days ago and the gentleman held up his hand and said he had 
just checked his computer and had over 200 and then I told the 
story at dinner last night and somebody held up their hand and 
said over 400. So there is no more pernicious, intrusive activity 
going on on the internet today than the subject of this hearing. And 
I hope that after the hearing, we can come together on a bipartisan 
basis and decide what to do legislatively about it. 

I have told Congresswoman Bono that her bill is a starting point, 
but not the end point and I want to tell all of the members of the 
committee and the folks in the audience and the people that are 
watching this on television, if it’s being broadcast, that we really 
intend to do something about this. We do not let people just wan- 
der around our homes without our permission. We don’t let total 
strangers just come up to us, encourage us to buy this or buy that 
or do this or do that. And we certainly when we have guests over, 
and they overstay their welcome, we encourage them to leave. 
None of those can we do with these spyware programs that are pro- 
liferating on our personal computers and as we found out at the 
committee this week, our office computers. 

So I am very, very pleased that Chairman Stearns is holding this 
hearing and I am very, very hopeful that after the record is devel- 
oped from this hearing that we can very quickly move to a legisla- 
tive solution to that to cure this cancer on the internet. 

And with that, Mr. Chairman, I have an official statement for 
the record, but I will yield my time back. 

Mr. Stearns. By unanimous consent, so ordered. 

Chairman Barton. Thank you. 

[The prepared statement of Hon. Joe Barton follows:] 

Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy 

AND Commerce 

Thank you, Mr. Chairman, for holding this hearing today. It continues this Com- 
mittee’s longstanding work in the area of consumer protection. 
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Spyware may be unfamiliar to many Americans, but unfamiliar does not mean 
unaffected. I suspect a large number of those in this room are victims of some of 
these foul abuses. Certainly all of us who use the Internet are threatened by them. 
And the very nature of the abuse is what keeps everyone threatened by it from 
seeking relief. It is aptly named spyware. Its installation is often sneaky or decep- 
tive and even when it runs it often goes undetected. And when consumers notice 
related problems with their systems, those problems are easy to misdiagnose. Even 
those that are technically savvy and aware of what is on their system, may not be 
able to uninstall spyware. 

Much of the recent discussion surrounding spyware has focused on the difficulty 
in defining what it is. The most pernicious of the software is composed of keystroke 
loggers and screen-capture utilities. This has both privacy and security issues for 
consumer Internet use. For example, some software can pick up your sensitive fi- 
nancial information when you use on-line banking, or it could monitor your email 
traffic and transmit personal information contained in that email. Both could lead 
to identity theft and other privacy and security abuses. 

There is also “adware.” While adware does not capture keystrokes it often cap- 
tures information, like websites visited, and sends that information back to a cen- 
tral server for the purpose of delivering targeted advertising. I would be suspicious 
of someone following me around the shopping mall and popping over to me and of- 
fering me a better deal each time I reached a register. I suspect most of us would 
call the police. But this adware does the very same thing. It follows you around the 
Internet and just as you are looking at purchases, it invades your computer with 
related and often unrelated offers. There may be some who would consent to this 
“point of sale” availability of information. It is certainly marketing genius. But, 
without informed consent, it is a true invasion of privacy. 

We ran a sweep of a Committee computer earlier this week and discovered there 
were over 167 “hits” for third party cookies and adware. A recent demonstration by 
an anti-spyware software company showed that most of that software ended up on 
the computer just by visiting a site. No consent was requested and none was given. 
If I want someone to come into my home I invite them into my home — if they come 
in uninvited that is a trespass. And certainly if they take something from inside 
without authorization it is a burglary. The same should hold true for access to my 
home and information via my computer. 

The Internet has been a great boon to society as a tool for information and com- 
merce. But, surfing the web is increasingly becoming a defensive exercise for con- 
sumers who wish to protect their privacy and maintain the security of their infor- 
mation. If this dynamic does not change soon, there is a real risk of undermining 
all the commercial gains the Internet has achieved.I thank our witnesses for their 
participation today and look forward to their testimony. In particular, I would like 
to thank Ms. Bono and Mr. Towns for their leadership in introducing legislation to 
enhance disclosures to consumers concerning spyware. After this hearing I will be 
working with all Members of the Committee on a legislative solution to this prob- 
lem. 

Thank you and I yield back. 

Mr. Stearns. And I thank the distinguished chairman and at 
this point we’ll have the author of the bill, the gentlelady from 
California for an opening statement. 

Ms. Bono. Thank you, Chairman Stearns, and Chairman Barton 
for your leadership on this issue. I welcome the full weight of the 
committee chairman and subcommittee chairman behind this legis- 
lation. It’s also been a pleasure to work with Congressman Ed 
Towns who apparently caught a flight home today. 

We introduced H.R. 2929. We called it the Safeguards Against 
Privacy Invasions Act. I look forward to hearing from all of our wit- 
nesses this morning. 

Spyware is a technological disease that is proliferating each day. 
It threatens the efficiency of our computers and internet services 
as well as the security of our personal information and private 
transactions. Spyware programs can secretly hijack web browsers 
and collect web surfing patterns, keystrokes, password information, 
all that without the computer user ever knowing that it has even 
occurred. 
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In fact, more often than not, computer users have no idea that 
they have downloaded spyware, nor do they have any idea as to 
how they obtained it. Yesterday, Harris Interactive released a web 
at work study which discovered that 92 percent of information 
technology managers estimate that their organizations have been 
infected by spyware at some point. However, only approximately 6 
percent of the employees who access the internet at work say they 
have ever visited websites that contain spyware. 

EarthLink and Webroot Software recently scanned more than 1 
million personal computers and reported 23.8 million cookies and 
approximately 5.7 million adware and spyware programs. Pest Pa- 
trol which sells its own spyware remover, estimates that there are 
more than 78,000 lurking spyware programs. One of the main con- 
duits for the spyware industry is the peer to peer file sharing 
scheme. Free file sharing services like Grokster and Kazaa which 
are also centers for illegal copying, usually tie several pieces of 
adware and spyware to their programs. Kazaa, for example, bun- 
dles Gator with its software. Gator, in turn, contracts with compa- 
nies who want targeted advertisements. For a fee. Gator agrees to 
disseminate its software so that internet habits can be monitored 
enabling targeted advertisements. 

However, spyware is not limited to bundling with other software 
programs such as Kazaa. In fact, some websites and e-mail mes- 
sages trick computer users into downloading spyware. One common 
trick is to alert the computer user that his or her system is vulner- 
able and he or she must immediately download a security patch. 
However, the patch only turns out to be spyware or adware. 
Spyware affects everyone from the most tech savvy computer users 
to the least tech savvy computer users and certainly unsuspecting 
teens and kids. 

Lynn Vaccaro, a manager at Errol Electronics, one of the largest 
distributors of computer products, was having difficulty with pop 
up ads, so she tried different pop up stoppers with no avail. She 
then realized she had spyware on her computer. She download 
SpyBot Search and Destroy and many other scanner and removal 
tools. The tools worked so well that they eliminated parts of Inter- 
net Explorer as well as Windows. She then had to reload both of 
them. 

H.R. 2929 would require that spyware companies give clear, con- 
cise and conspicuous notice to computer users about the function 
of their software as well as the information that may be collected 
and transmitted through their software. After giving such notice, 
the computer user would have to agree to the downloading of the 
software. In other words, under the SPI Act, spyware would no 
longer be used to spy on unsuspecting computer users. 

Although Congress has a responsibility to address the issues sur- 
rounding spyware, it is equally imperative that the Federal Trade 
Commission, as well as the technology industry, does all that it can 
to protect consumers from spyware. Moreover, it is necessary that 
we collectively educate consumers about the nature and the threats 
of spyware. 

I hope this hearing will help all of us learn more about spyware 
and it will enable us to begin tackling some of the complicated and 
technical questions that are related to spyware. 
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Thank you, Mr. Chairman. 

Mr. Stearns. I thank the gentlelady. Mr. Shimkus. 

Mr. Shimkus. Thank you, Mr. Chairman. I’ll be brief. I bought 
a new Dell. I got Windows XP. I’m disappointed with both of those. 
My computer is lots more sluggish than it ever was under my own 
system that had less memory, less capabilities and it’s unfortunate 
and I think it’s because I’ve got programs competing with each 
other. It’s like trying to ride an old Western, you’re on that stage- 
coach and you’ve got those 16 horses and you’ve got both reins and 
you just can’t control it. It’s tremendously frustrating and I’m not 
tech savvy at all. 

So this one of many issues that I think is frustrating the public 
and I’m glad Mary has seen fit to work Mr. Towns and really ad- 
dress this. This hearing is very, very important. 

This also gives me the opportunity because of the inability to 
control our own personal computers any more. It also gives me the 
chance to advertise once again for .kids. us, the importance of that, 
if you want to protect kids on the internet and we have a late 
weekend sale, we’re having our hearing. I think next week, Thurs- 
day, maybe, so those of you who have not got a site up on .kids.us, 
you still have time before we have the hearing and start identifying 
those good entities that are trying to protect kids and those who 
are still a little negligent and we will continue to try to coerce 
them. 

I did receive an e-mail, Mr. Chairman, if I may submit into the 
record. 

Mr. Stearns. By unanimous consent, so ordered. 

Mr. Shimkus. It’s from Sergeant First Class on peer to peer 
issues and it’s probably well known in the community. The other 
issue to this debate is the threat to national security. If these 
things are on Department of Defense computers and individuals 
have the ability then to snoop around in our intelligence commu- 
nity, Department of Defense, FBI and the like, this is a really seri- 
ous national security concern. I think this article highlights that 
and so I think this is a very timely hearing. I thank you for calling 
it and I thank my colleague, Mary Bono, for bringing it to our at- 
tention. 

I yield back. 

Mr. Stearns. I thank the gentleman. The gentleman from Michi- 
gan, Mr. Upton. 

Mr. Upton. Well, thank you, Mr. Chairman. I want to thank my 
colleague, Ms. Bono, as well, for the great work she’s done on this 
legislation. I might say that I’ve got a Dell as well at home with 
an XP in it. At the beginning when you turn it on, I used to make 
a joke with my kids there’s a lot of little guys inside, the click, click 
and they run around trying to plug in the old circuits, sort of like 
the old telephone, but now it’s — you need Raid because you find 
out, in fact, it’s not little guys in there. It’s spiders. And I’ve been 
a victim of spyware as well. I don’t know how many hundred, Mr. 
Barton, that I have, but I have a 12-year-old and a 16-year-old and 
we had to have the computer doctor come visit and take it away 
and take it to the ER and it’s on life support. Found out it couldn’t 
even deal a deck of cards in Solitaire it was so slow, it was so pa- 
thetic. It’s bad. It is bad. 
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I think for a lot of Americans when they become victims of this 
they’re a little surprised and they become very alarmed and then 
they become very angry and bitter that someone would violate 
their personal space whether it be Kazaa or anybody else and in 
fact, victimized an entire family, homework and everything else, 
that a PC provides assistance with. 

So I think that we need legislation on this. I think we need 
strong penalties. Some might suggest the death penalty. I don’t 
know that we’ll go that far, we’ll look for some judiciary help, but 
I want to thank my colleague, Ms. Bono, for this. I want to thank 
you, Mr. Chairman, for holding this hearing and hopefully, we will 
move on a strong bipartisan basis to use the Raid to get those little 
guys out of there. 

I yield back my time. 

Mr. Stearns. I thank the gentleman. The gentleman from New 
Hampshire, Mr. Bass. 

Mr. Bass. Thank you, Mr. Chairman, a great hearing. I’ve all the 
same issues that everybody else has talked today. I’m eager to hear 
the witnesses, so I yield back. 

Mr. Stearns. I thank the gentleman. Mr. Otter? 

Mr. Otter. Well, thank you, Mr. Chairman, and let me join in 
this core of folks in showing appreciation to Ms. Bono for her ef- 
forts on bringing this to our attention and also holding this hearing 
and getting some sort of a resolve. 

Over the last few years, this Congress has debated the privacy 
issues on many fronts. The passage of the Health Insurance Port- 
ability and Accountability Act, created new privacy protection for 
individuals in the health market. However, Congress also passed 
the Patriot Act which has caused many, including myself, to care- 
fully evaluate the value we place on personal privacy. I believe 
many in the public are not aware of the many ways they are being 
watched online, tracked online and in recent years there have been 
an increased awareness of identity theft, yet we still hear little 
about the intrusiveness and the risk associated with spyware. 

There’s no doubt that the function of spyware is to watch, to 
track, record an individual’s internet usage and activity, often 
without the knowledge of the user. I’m very interested in hearing 
from the witnesses today on what they believe is an appropriate 
way to notify users before they download spyware. 

I’m also very concerned about the websites like Kazaa that infect 
computers with spyware in exchange for providing user access to 
stolen goods and then profit from them by selling the information 
collected by spyware to other advertisers. As an advocate of per- 
sonal responsibility, I also believe that users who participate in 
these illegal activities on these sites such as music and movie theft, 
should expect to be taken advantage of and I have little sympathy 
for them. 

If you’re going to play with fire, you need to expect to get burned. 
So if you don’t want spyware from Kazaa and other similar sites 
on your computer, don’t participate in these illegal activities. 

Mr. Chairman, once again, I thank you and I thank Ms. Bono for 
the opportunity to examine these issues and look for solutions in 
solving them. I yield back. 
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Mr. Stearns. I thank the gentleman and just for his information, 
we’re going to have a hearing on this Kazaa and the peer to peer 
later. 

The gentleman from Arizona, Mr. Shadegg. 

Mr. Shadegg. Thank you, Mr. Chairman, I am also anxious to 
hear the witnesses because I think this is an extremely important 
topic. I similarly want to congratulate our colleague from Cali- 
fornia, Ms. Bono, on bringing an important issue to the committee. 
I think this is an issue that we need to be very attentive to and 
quite frankly, it’s an area where I think we need legislation. I want 
to compliment you on holding the hearing. 

Mr. Stearns. I thank the gentleman. We also welcome Mr. Ins- 
lee from the State of Washington. He is a guest here with the com- 
mittee. 

[Additional statement submitted for the record follows:] 

Prepared Statement of Hon. Barbara Gubin, a Representative in Congress 
FROM THE State of Wyoming 

Thank you, Mr. Chairman, for holding this timely hearing. 

I would also like to thank the distinguished panel of witnesses here today. Today’s 
hearing brings together an assembly of panelists who are recognized experts of var- 
ious technological industries, and I anticipate their insights to be of unparalleled 
value as we delve into the issues surrounding spyware. 

As Americans become increasingly dependent upon computer technology to navi- 
gate everyday life, there is a consumer-driven demand for technology to be perpet- 
ually updated. Unfortunately, in the continuously expanding domain of computer 
technology, there also exists the knowledge to utilize software for less desirable re- 
sults. Today’s hearing will educate and warn us all of an emerging, largely undesir- 
able software technology phenomena known as spyware. 

Today’s hearing will foster debate and thought regarding several complex issues 
surrounding spyware. First and perhaps most gravely is the need to develop a clear 
and accepted definition of spyware. We must first acknowledge that instances where 
this type of software can be used by third parties for valid and useful purposes do 
in fact exist. However, it is when this technology is utilized by unethical and fraudu- 
lent purposes that alarm must be raised. While most Americans will never under- 
stand how spyware is engineered, it is indisputably unacceptable for someone to se- 
cretly download software onto another’s computer with the intent of stealing per- 
sonal information. Therefore, today’s debate should be based upon the bad practices 
and deviant behavior of promulgators of spyware rather than its technological as- 
pects. 

Aside from the need to apply a definition to spyware, there also exists a need to 
examine the more complex matter of enforcing punishment of the inappropriate use 
of this technology. While consumers may not object to receiving advertisements, a 
line that must be drawn before people are allowed to use spyware for more invasive 
and intrusive purposes. Today’s hearing will reveal what steps software industry 
leaders are taking to protect consumers from such invasions and increase our under- 
standing of what role Congress should play in this capacity. 

Most importantly, today we have the opportuniy to help raise consumer aware- 
ness of the increasingly dangerous use of spyware. The majority of American con- 
sumers have likely been affected by spyware at some level, and I foresee today’s 
hearing as the embarkment of a large-scale campaign to help Americans better edu- 
cate and protect themselves from the inappropriate use of spyware. 

Thank you Chairman, and I yield back the balance of my time. 

Mr. Stearns. We’re going to, since the opening statements are 
complete, we’re going to depart from the normal schedule and hear- 
ing from the witnesses. We’re going to go to a demonstration. I 
would hope that we would have an actual demonstration of how 
spyware is used and so with that further ado, we’ll have this dem- 
onstration. 

Mr. Friedberg. Actually, it’s going to be part of my testimony, 
so I can do it all at once. 
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Mr. Stearns. We’ll let you start and go ahead and do that then. 

STATEMENTS OF JEFFREY FRIEDBERG, DIRECTOR OF WIN- 
DOWS PRIVACY, MICROSOFT; DAVID N. BAKER, VICE PRESI- 
DENT, LAW AND PUBLIC POLICY, EARTHLINK; HON. 

MOZELLE W. THOMPSON, COMMISSIONER, FEDERAL TRADE 

COMMISSION; J. HOWARD BEALES HI, DIRECTOR, BUREAU 

OF CONSUMER PROTECTION, FEDERAL TRADE COMMIS- 
SION; AND ARI SCHWARTZ, ASSOCIATE DIRECTOR, CENTER 

FOR DEMOCRACY AND TECHNOLOGY 

Mr. Friedberg. Great. Chairman Stearns, Ranking Member 
Schakowsky and members of the subcommittee, my name is Jeffrey 
Friedberg and I am the Director of Windows Privacy at Microsoft 
Corporation. Thank you for the opportunity to share our views on 
this growing threat to computer users around the world. I’d like to 
comment the subcommittee for holding this hearing and its bipar- 
tisan approach to this important consumer issue. 

I’d also like to acknowledge Representatives Bono and Towns for 
the time and energy they have invested. 

Spyware and deceptive software share a common theme. They 
use ambiguity, coercion, deceit and outright trickery to lure and 
even force users to execute or install unwanted programs. They can 
be invasive, offensive and even destructive. 

Our customers complaint that deceptive software degrades their 
computing experiences, in some cases, making their computers un- 
usable. We have evidence that this software is at least partially re- 
sponsible for approximately half of the application crashes our cus- 
tomers report to us. It has become a multi-million dollar support 
issue for computer manufacturers, ISPs and companies like Micro- 
soft. 

I’m going to show you some examples of how our customers have 
been tricked. My first slide illustrates what we call a pop-under ex- 
ploit. We don’t have it on the back screen at the moment. 

Chairman Barton. I think we have spyware infecting our appli- 
cation here. 

Mr. Friedberg. Great. 

Mr. Stearns. Do you just want to turn down the lights a little 
bit? Is that possible to do that? 

Mr. Friedberg. So in this case a user goes to a website they 
trust. I’ve simulated a news website here, may be their favorite 
site, and after a delay 

Mr. Stearns. Just pull the mic up a little bit more because when 
you turn your head, we lose you. 

Mr. Friedberg. Sorry. And after a delay, they get the security 
warning which is normal which says hey, somebody is trying to 
download software to you. Now the user thinks this might be com- 
ing from the trusted site, but if you watch the screen carefully, 
you’ll notice that it’s actually coming from a window underneath, 
what we call a pop-under window that’s just lying in wait, hoping 
that this can happen in which case the user might think this 
download is for the trusted site and might click yes. 

This next one which is one of my favorites is cancel means yes. 
If you look at this screen, it looks like an official security update 
or some kind of privacy update. In fact, if you read it carefully, it 
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says this is a security update, a personal privacy protection update 
and a system update. They’ve used every buzz word they can imag- 
ine and it’s provided these okay and cancel buttons and it looks 
quite bona fide. The reality is is that this is actually just an image 
and none of these buttons are functional. In fact, if you click on the 
okay or even the little X in the corner, it will all take you to the 
site and attempt to download software to your machine. This is 
quite deceptive. 

Here’s another example of the same kind of trick. The security 
alert in this window is embedded and again provides the Yes/No 
cancel buttons, but it’s just a picture and people can embed pic- 
tures in web pages. This is a normal thing. But it tricks users and 
they click somewhere on this window and one of these buttons and 
it still takes them to the site and attempts to download the soft- 
ware. 

Another thing that bothers me about it is it says “warning, your 
computer is being attacked by spyware and adware.” Well, how do 
they know that? I mean this is basically just scare tactics in order 
to get people to download this software. 

Finally, in the browser there’s a security setting. This is one 
other way that unwanted software can end up on your machine. If 
you set it to the low setting, it means that all sites you visit are 
trusted. I call this leaving your front door open. In this case, there’s 
no warning, the software will simply load because you’ve told the 
system everything is trusted. We first off have a default which is 
medium and we recommend to users to leave it at medium or high- 
er. So these slides provide just a sample of the ways users can be 
tricked. I’ve included other examples in my written testimony. 

There is no silver bullet to address the wide range of issues with 
deceptive software. We believe it will take a comprehensive ap- 
proach that has four key elements. The first is better consumer 
education. Today’s hearing and last week’s FTC workshop height- 
ened consumer awareness of the problems caused by deceptive soft- 
ware. To complement these efforts, Microsoft recently launched a 
website www.microsoft.com/spyware to help consumers understand, 
identify, prevent and remove deceptive software. 

The next element is technology. Microsoft will make available 
this summer a free update to Windows XP called Service Pack 2. 
It will include a new pop up blocker and pop ups is one of the most 
common ways that people get a proposition for a download through 
a pop up experience. Pop up blocker shows up in this thing called 
an information bar in Internet Explorer. It gives people both notice 
and choice of what’s happening to them with the pop ups. They can 
choose to block them or choose to allow them through or do that 
by site. 

I know my financial institution needs pop ups to work, so I 
would turn up pop ups for that site. 

Another feature is this new download blocker. It specifically is 
designed to prevent forced downloads. These are downloads that 
are unsolicited. You go visit a website and somebody attempts to 
jam software on your machine. Instead of that happening, you get 
a little warning in this little information bar that says hey, some- 
one is trying to download some software, what do you want to do? 
And you don’t have to take any action. By having this blocker, you 
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don’t have to be interrupted and take action and it’s suppressed 
until you decide on your terms to do something about. 

This helps with two problems. One is that it prevents the pop- 
under exploit I mentioned earlier and second, I have small kids 
and they don’t even read and I ended up with some kind of 
spyware in my system because they clicked yes to some dialog that 
popped up in the middle of a game. This would prevent that from 
happening. They won’t even see that opportunity to download this 
kind of software. 

We’ve also cleaned up the install prompts. The one on the left is 
the old one and there’s opportunity for some publishers to throw 
a lot more information there we had wanted originally which 
makes a very confusing experience. If you’ve actually looked at the 
one on the left more carefully, it’s almost a miniature license agree- 
ment thrown in this experience which is totally inappropriate. 

The one on the right makes that much more difficult to do and 
it truncates the line, makes it much easier to spot someone trying 
to trick you. We also added a new feature called never accept soft- 
ware from a publisher. So you could choose by publisher to say 
look, I don’t want software from you anymore and block that from 
happening. 

The last thing, as I mentioned earlier about leaving your front 
door open, it seems intuitively obvious well look, if low is kind of 
dangerous for most users, why do you offer it? So now we actually 
pop an arrow that says look, you really can’t set it to low anymore. 
Expert users can get around this and if they want to lower their 
settings they can, but for the majority of users, at least we’ve done 
something to slow down this accidental way that they leave their 
doors open. 

So these improvements, as well as others we are working on, will 
advance our goal of helping users better understand what software 
they are running and installing and whether they can trust it. 

The third element of our approach is industry-wide best practices 
which we believe will create an incentive for legitimate software 
publishers to do the right thing. Best practices will also serve as 
a foundation for programs that certify good actors and thereby en- 
able consumers to make more informed decisions. In the end, we 
believe self-regulatory measures will best account for the complex- 
ities of different software applications and evolve to meet the ever- 
changing nature of technology. 

The fourth element is aggressive enforcement of existing laws. 
Such enforcement could put some of the most insidious violators 
out of business which would have a significant impact on the 
amount and the type of deceptive software that is produced and 
distributed in the United States. 

Finally, for what is not already illegal under existing law. Fed- 
eral legislation can help fill in the gaps. That said, any legislation 
must carefully target deceptive behavior rather than specific fea- 
tures or functionalities. My written testimony provides examples of 
areas in which legislation can impose ineffective or impractical re- 
quirements. As you consider legislating in this area, we urge you 
to avoid such unintended consequences. 

In conclusion, we applaud the subcommittee for holding this 
hearing today and appreciate the opportunity to share our experi- 
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ence and recommendations. We are committed to working with you 
to thwart the efforts of those who produce industry-deceptive soft- 
ware and to restore choice and control to our customers. 

Thank you. 

[The prepared statement of Jeffrey Friedberg follows:] 

Prepared Statement of Jeffrey Friedberg, Director of Windows Privacy, 
Microsoft Corporation 

Chairman Stearns, Ranking Member Schakowsky, and Members of the Sub- 
committee: IVfy name is Jeffrey Friedberg, and I am the Director of Windows Privacy 
at Microsoft Corporation. I want to thank you for the opportunity to share with the 
Subcommittee our views on this burgeoning threat to computer users around the 
world. Spyware and other deceptive software share a common theme: they use ambi- 
guity, coercion, deceit, and outright trickery to lure or even force users to execute 
or install unwanted and often invasive programs. Our customers complain that this 
software degrades their computing experiences — in some cases rendering their com- 
puters unusable — and causes them to feel frustrated and out of control. It also com- 
promises their privacy and can make their computers more susceptible to attack. 

Microsoft applauds Congress and the members of this Subcommittee for their at- 
tention to this problem. In particular, we would like to acknowledge Representatives 
Mary Bono and Ed Towns for the time and energy they have invested. Stopping the 
spread of deceptive software is one of Microsoft’s highest priorities. We are com- 
mitted to providing consumers with the information and technology that will help 
protect them against deceptive software. And we are committed to working with 
you, law enforcement, and others in the industry to identify and penalize the per- 
petrators of these nefarious programs. 

Today, I want to describe the nature and nuances of deceptive software, and ex- 
plain Microsoft’s comprehensive strategy for tackling this issue. As with any issue 
that raises consumer protection concerns, there are a number of ways in which the 
public and private sectors, working together, can address the problem. These in- 
clude educating consumers, developing new technology to help protect users and to 
empower them to make more informed choices, identifying industry standards and 
best practices, and taking enforcement actions against those engaged in fraudulent, 
deceptive, and unfair practices. To the degree existing law fails to capture bad ac- 
tors, legislation could complement this strategy, but we believe it should be carefully 
crafted to target the bad behavior — not the underlying technology. Overbroad legis- 
lation could place an undue burden on legitimate software, and seriously undermine 
the user experience. 

What Is Deceptive Software? 

Let me explain what, exactly, I mean by deceptive software. Deceptive software 
generally describes programs that gain unauthorized access to a computer — whether 
to spy on user activities, hijack user configurations, or deliver intrusive and un- 
wanted pop-up advertisements. The common thread that unifies deceptive software 
programs — and that distinguishes them from legitimate applications — is their lack 
of notice and choice, and their absence of respect for users’ ability to control their 
own computers. With proper disclosure, user authorization and control, these same 
features can be an asset: user-approved tracking can lead to personalization; user- 
approved configuration changes (for example, setting a new search page) can yield 
a better user experience; and user-approved displaying of advertisements can sub- 
sidize the cost of a service (such as e-mail), making it cheaper or even free for con- 
sumers. In short, the problem is with bad practices, not the underl3dng features. 

There is a spectrum of tricks that cause consumers to load software applications 
that they may not want. To better understand these tricks, it is useful to first brief- 
ly describe a legitimate download experience. I would like to draw your attention 
to Slide A: “User Initiates Download.” This slide represents a typical web site con- 
sumers might visit. On the web site is a link for downloading a program (in this 
example, a program that will display a “stock ticker”). When users click on the link, 
the operating system displays a security warning that asks them whether they want 
to install the program, as shown in Slide B: “Security Warning Displayed.” These 
security warnings are a normal part of the computing experience. 

In some instances, however, web sites manipulate the download experience in an 
attempt to mislead users. When users are presented with a download request and 
security warning, they will often consider the web site they are visiting to decide 
whether to accept the download. If the web site is one they trust, they may simply 
accept the download without much thought. Using a deceptive technique we call a 
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pop-under exploit, however, some web sites take advantage of this trust, going out 
of their way to make it more difficult for users to tell which web site is actually 
offering the download. For example, on Slide C: “Pop-Under Exploit — Step 1,” users 
who are visiting a legitimate website are presented with a download request that 
appears to have been generated from that site, which we see on Slide D: “Pop-Under 
Exploit — Step 2.” In fact, the download request was actually launched from a web 
page that is hidden beneath the legitimate site, as we see on Slide E: “Pop-Under 
Exploit — The Trick.” Launching a download request from a pop-under can result in 
a confusing or even misleading experience. It is likely that the user, who cannot eas- 
ily view the underl 3 dng web page, will assume that the request came from the legiti- 
mate site and may choose to download the software for this reason. 

Web sites are often compensated for each software download that occurs from 
their site and in order to increase this volume, some web sites will resort to decep- 
tive practices. For example, a web site might confuse users so that no matter where 
they click, they are taken to a page that requires a download. In this scenario, 
shown on Slide F: “‘Cancel’ Means ‘Yes,’” a user is presented with an image that 
mimics a security warning or update and appears to provide the user with appro- 
priate choices about downloading certain software. However, even if the user clicks 
the “Cancel” button or the “[x]” box to close the window, the web site will attempt 
to download the software onto the user’s machine. This type of trick can also take 
place through embedded security alerts, as shown on Slide G: “Faux Security Alert,” 
where all buttons in the alert mean “yes” and initiate a download experience the 
user did not want. 

Perhaps the most nefarious way that software is installed requires no action on 
the part of the user. In this scenario, bad actors exploit a security hole and covertly 
install software without any notice to or consent from the user. This practice is ille- 
gal under existing law, but bad actors still attempt to deceive users in this fashion. 
To educate consumers on the steps they can take to minimize this risk, we created 
a web site, www.microsoft.com/protect, that recommends (1) keeping systems up to 
date using the free Windows Update service, (2) running up-to-date anti-virus soft- 
ware, and (3) using a firewall like the one included with Windows XP. 

There is one other way that software can get installed without any action on the 
part of the user. If a user sets their browser security setting to “low,” as illustrated 
on Slide H: “Don’t Leave Your Front Door Open,” all sites are assumed to be “trust- 
ed,” and no security warning will be displayed. This can result in what are called 
“drive-by-downloads,” in which the download silently and automatically occurs by 
just visiting a web site. Microsoft encourages users to leave their security settings 
on the default setting of “medium” or higher, and in cases where the browser secu- 
rity level must be set on “low,” we encourage users to reset security back to a higher 
level as soon as possible. 

These slides illustrate just a few of the ways in which users can be tricked into 
downloading unwanted and sometimes destructive software. Other tricks include 
limiting users’ ability to make a fair choice by repeatedly asking them to make a 
decision until they say “yes”; covertly installing software by piggybacking on other 
software being installed; pretending to uninstall; and re-installing without author- 
ization. 

Deceptive Software is a Growing Problem for Our Customers 

Our customers are becoming increasingly frustrated by unwanted and deceptive 
software. We receive thousands of calls from customers each month directly related 
to unwanted or deceptive software, and we have evidence that suggests such soft- 
ware is at least partially responsible for approximately one-half of all application 
crashes that our customers report to us. In addition, our industry partners who 
make computers — sometimes referred to as “Original Equipment Manufacturers” or 
OEMs — have indicated that unwanted and deceptive software is one of the top sup- 
port issues they face, and that it costs many of the larger OEMs millions of dollars 
per year. 

Other estimates support the growing threat of the problem. According to the secu- 
rity software firm PC Pitstop, nearly a quarter of personal computers are afflicted 
with some type of unwanted or deceptive software application. More aggressive esti- 
mates place the total at between 80 and 90 percent of all PCs. Indeed, a 2003 study 
by the National Cyber Alliance found that 91 percent of broadband customers have 
some form of unwanted or deceptive software on their home computers. 

What may be most alarming is the growth of these programs over the past year. 
PestPatrol, which sells spyware detection and removal software, estimates that 
there are now more than 78,000 separate spyware programs in use. In the past 
year, PestPatrol identified more than 500 new Trojan horses (which are programs 
that provide unlimited access to PCs), 500 new key loggers (which monitor and 
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record a user’s keystrokes), and nearly 1,300 new forms of programs that display 
advertisements. The past year has also seen spyware manufacturers gain strides in 
their ongoing technological battle against anti-spyware removal and detection sys- 
tems. Over the past six months, the number of “burrowers” — programs that dig so 
deeply into an operating system that they cannot be found or removed without 
major and potentially damaging surgery — has increased from six to more than 40. 

The explosion in the volume of unwanted and deceptive software has had an enor- 
mous impact on Microsoft, as has the accompanying increase in the complexity with 
which those programs operate and the damage that they do. Many of our customers 
blame the problems caused by these programs on Microsoft software, believing that 
their systems are operating slowly, improperly, or not at all because of flaws in our 
products or other legitimate software. This costs us not only millions of dollars per 
year in otherwise unnecessary support calls, but also immeasurable damage to our 
reputation and, most importantly, to our efforts to optimize our customers’ computer 
experiences. 

Adopting a Comprehensive Strategy To Combat Unwanted and Deceptive 
Software 

As I have shown, there is a continuum of behaviors that lead or trick users into 
downloading unwanted software programs. In the same vein, there is a continuum 
of solutions that we believe must be part of the strategy to end these behaviors and 
curb the spread of deceptive software. This strategy has four prongs: widespread 
customer education; innovative technology solutions; improved industry self-regula- 
tion; and aggressive enforcement under existing state and federal laws. As I men- 
tioned previously, new, carefully crafted and narrowly focused legislation can also 
play a role to the extent that existing laws do not fully address certain deceptive 
or misleading practices. 

Addressing the Problem Starts with Consumer Education 

The first step in the battle against unwanted and deceptive software is better con- 
sumer education. Once confined to the back pages of industry journals, the problem 
is beginning to move to the mainstream of consumer protection issues, as last 
week’s workshop at the Federal Trade Commission and today’s hearing dem- 
onstrate. These public forums are essential in heightening consumer awareness of 
the problems caused by deceptive software. 

To complement those efforts, Microsoft recently launched a website — 
www.microsoft.com/spyware — with information that is specifically designed to help 
consumers understand, identify, prevent, and remove unwanted and deceptive soft- 
ware. This website explains what spyware is and why it can be dangerous; tells 
users how they can protect their machines from being compromised by these unau- 
thorized programs; helps consumers ascertain whether their computers already con- 
tain unwanted or deceptive software by describing its s 3 unptoms, such as sluggish 
performance, an increase in random pop-up advertisements, and a hijacked home 
page; and points users to third-party tools that can detect and remove these pro- 
grams. 

Microsoft is committed to working with Congress and the FTC to continue edu- 
cating consumers about the ways they can prevent unwanted and deceptive software 
from attacking their PCs. While the Internet is an incredible resource that has en- 
abled — and will continue to enable — countless and sweeping improvements in com- 
munications, commerce, and government, that same power requires that computer 
users take the same care for their safety and security online as they would offline. 
As an industry leader, we acknowledge and strive to fulfill our responsibility to edu- 
cate consumers about these and other related issues. Consumers who take steps to 
remove or prevent the installation of this software will not only preserve their own 
privacy, security, and optimum computer experiences, but they will make an impor- 
tant contribution to the larger effort of generally eliminating the problem. The enti- 
ties that produce these programs will have much less incentive to create and 
download their products if consumers take steps to block their use — or at least do 
not respond to the seller on whose behalf the deceptive software purveyor is oper- 
ating. 

Industry Is Working on New Technology To Combat Deceptive Software 

The development of anti-spyware technology should complement the impact of 
consumer education and awareness. For example, third parties have released anti- 
sp 3 rware programs that enable users to remove or disable many examples of un- 
wanted and deceptive software from their PCs without damaging their existing 
hardware or legitimate software. These tools are continually being improved to ad- 
dress new variants and scenarios. 
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Microsoft is working on enhancements that will also help address the problem. 
For example, we will soon be introducing Windows XP Service Pack 2 — a free up- 
date for all licensed Windows XP users — that includes features designed to block 
some of the entry points and distribution methods of deceptive software by better 
informing users in advance about the type of software they will be installing. These 
enhancements include: 

• A new pop-up blocker, turned on by default, that will reduce a user’s exposure 

to unsolicited downloads (See Slide I: “New Popup Blocker”); 

• A new download blocker that will suppress unsolicited downloads until the user 

expresses interest (See Slide J: “New Download Blocker”); 

• Redesigned security warnings that make it easier for users to understand what 

software is to be downloaded, make it more obvious when bad practices are used 
(e.g., multi-line program names), and allow users to choose to never install cer- 
tain types of software (See Slide K: “Improved Install Prompts”); 

• A new policy that restricts a user’s ability to directly select “low” security settings 

(See Slide L: “Harder to Leave Your Front Door Open”); and, 

• Tools to help expert users and support professionals understand and disable un- 

wanted functionalities that have been added to the browser. (See Slide M: “New 
Add-On Manager.”) 

Beyond Windows XP Service Pack 2, Microsoft is investing in future technologies 
that advance our goal of giving users the ability to understand what software they 
are running and installing, and whether they can trust it. We continue to explore 
ways that we can better inform consumers in advance about programs that they 
plan to install, and to provide them with more control over the installation itself. 
We also are striving to enhance and simplify the ways in which our customers can 
see what software is running on their computers, and to evaluate what to do with 
that software based on their preferences. And we are working to advance tech- 
nologies that can be used by our entire spectrum of customers — from the most so- 
phisticated enterprise to the most novice consumer — because we want them all to 
have an equally fulfilling computer experience. 

Industry Best Practices Are an Important Part of the Solution 

The third important part of our strategy is to develop a set of industry-wide best 
practices. Developing best practices is critical because they will create an incentive 
for legitimate software publishers to distinguish themselves from less scrupulous 
publishers and minimize the risk of being classified with the bad actors that engage 
in deceptive practices. Best practices will also serve as a foundation for programs 
that certify and label good actors and thereby enable users to make more informed 
decisions about the type of software they execute and install on their computers. 

The first step in this process is developing an understanding of the devious, de- 
ceptive, or unfair practices that adversely affect consumers. The Center for Democ- 
racy and Technology (CDT) has made great strides in this area through its Con- 
sumer Software Working Group, of which we are a member. This group includes 
public interest organizations, software companies, Internet service providers, and 
hardware manufacturers, all of whom have worked hard to identify a set of decep- 
tive practices that raise serious concerns. These practices — many (if not all) of which 
are illegal under existing law — should help focus regulatory and law enforcement ef- 
forts on the truly bad actors. 

In addition to recognizing bad practices, we think it is equally important to begin 
to develop best practices in certain scenarios. These scenarios include the collection 
and transmission of personal information, the display of advertisements, and 
changes to configuration settings that affect the Internet browser home page or 
browser search page. The touchstone of these best practices should be appropriate 
notice and consent. Users should understand what the software will do in these sce- 
narios before it is executed, and they should then have a choice about whether to 
execute it. In addition, programs with these features that are installed on a user’s 
computer should also be easily uninstalled or disabled — or if that is not possible, 
the user should be clearly informed of that fact upfront. 

Microsoft is actively extending its best practices to explicitly include the scenarios 
highlighted above. We are committed to working with other companies in the indus- 
try to ensure that users have high-quality experiences with legitimate software. And 
we would be happy to share our best practices to the extent they would be helpful 
in moving the industry forward to this common goal. In the end, self-regulatory 
measures more than federal requirements will help industry leaders define and im- 
plement best practices that account for the complexities of different software appli- 
cations and can evolve to meet the ever-changing nature of technology. 
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Enforcement Is a Critical Part of the Fight Against Deeeptive Software 

A fourth key weapon to stop the spread of deceptive software is the aggressive 
enforcement of existing laws. Such enforcement could put some of the most insidious 
violators out of business, which would have a significant impact on the amount and 
type of deceptive software that is produced and distributed in the United States. 
Moreover, a few targeted enforcement actions would serve as a powerful deterrent 
to other manufacturers of deceptive software. 

Enforcement actions are possible using existing law. For example, under the Fed- 
eral Trade Commission Act, the FTC is empowered to challenge unfair and decep- 
tive trade practices, which — by definition — are at the heart of virtually all deceptive 
software programs. Many states have similar laws that authorize their own enforce- 
ment agencies to prosecute entities that engage in these same types of practices. 
And the Computer Fraud and Abuse Act provides other law enforcement agencies 
with the means to address spyware threats that involve hacking into users’ com- 
puters. Given the growing sophistication, diversity, and proliferation of spyware, the 
private and public sectors should combine their resources to hold those who publish 
illegitimate deceptive software accountable for their actions and the damage they 
perpetrate. 

Congress Should Proceed Cautiously 

Microsoft is hopeful that the combination of user education, improved technology, 
industry best practices, and enforcement of existing laws can effectively combat the 
growing problem of deceptive software. Although we have seen an increase in the 
amount and complexity of deceptive software in recent months, it is encouraging to 
see the stepped-up response of both the public and private sectors. We are open to 
considering whether federal legislation can provide an additional layer of protection 
and another weapon in the fight against deceptive software. However, Microsoft of- 
fers two important caveats when considering federal legislation. 

First, as noted above, many deceptive software programs are already either pro- 
hibited under existing law — such as the Computer Fraud and Abuse Act — or are 
subject to the FTC’s jurisdiction over unfair and deceptive trade practices. Any addi- 
tional federal legislation deemed necessary to outlaw deceptive software must be 
carefully crafted to supplement the existing legal framework only where gaps are 
identified. 

Second, any legislation should target deceptive behavior, rather than specific fea- 
tures or functionalities, to avoid imposing unworkable requirements on legitimate 
programs and negatively impacting computer users. Examples of some unintended 
consequences of well-intentioned legislation include the following: 

• Disruptive User Experience. Many legitimate software programs contain an infor- 

mation-gathering activity to perform properly, including error reporting applica- 
tions, troubleshooting and maintenance programs, security protocols, and Inter- 
net browsers. Imposing notice and consent requirements every time these legiti- 
mate programs collect and transmit a piece of information would disrupt the 
computing experience, because users would be flooded with constant, non- 
bypassable warnings — making it impossible to perform routine Internet func- 
tions (such as connecting to a web page) without intolerable delay and distrac- 
tion. 

• Compromised Consent Experienee. “One size fits all” notice and consent require- 

ments may not give users sufficient context to make informed decisions. For ex- 
ample, requiring notice and consent at the time of installation ignores the im- 
portance of a technique we refer to as “just in time” consent, which delays the 
notice and consent experience until the time most relevant to the user — just be- 
fore the feature is executed. If a program crashes, for instance, Windows Error 
Reporting functionality will ask the user whether he or she would like to send 
crash information to Microsoft. At this time, the user is able to examine the 
type of information that will be sent to Microsoft and to assess the actual pri- 
vacy impact, if any, of transmitting such information in light of the potential 
benefit of receiving a possible fix for the problem. In this case, the user under- 
stands the costs and benefits of the proposition being made and is able to make 
an informed choice. Presenting the notice and choice experience at the time of 
installation, on the other hand, would lack this critical context. 

• Unrealistic Uninstall Requirements. Requiring standardized uninstall practices for 

all software would be unworkable in many circumstances. For example, there 
are cases where a full and complete uninstall is neither technically possible nor 
desirable, such as with a software component that is in use and shared by other 
programs. In addition, there are other cases where an uninstall may be tech- 
nically possible, but the cost to provide such functionality would be prohibitive, 
such as with complex software systems that may require the entire software 
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system to be removed. Finally, there are situations where requiring uninstall 
could actually comprise the security of the system, such as backing out security 
upgrades or removing critical services. 

There are many other areas in which legislation could fall into similar traps, im- 
posing ineffective or impracticable requirements, or even threatening PC security 
and usability. We therefore encourage Congress to focus its attention on the devious 
practices of deceptive software, including those identified by CDT and its Consumer 
Software Working Group; to legislate only to the extent such practices are not al- 
ready illegal under existing law; and to engage industry experts in understanding 
the complexities of software, thereby ensuring appropriate due diligence to avoid un- 
intended consequences. 

Unwanted and deceptive software is a growing problem, and we believe that a 
multi-faceted approach is needed: improved consumer education; new technology so- 
lutions; a comprehensive set of industry best practices; and aggressive enforcement 
of existing laws against violators. This approach will enable consumers to make 
more informed decisions about installing software; help distinguish good actors from 
bad ones; and make being bad an expensive proposition. We commend the Sub- 
committee for holding this hearing today and thank you for extending us an invita- 
tion to share our experience and recommendations with you. Microsoft is committed 
to working with you to thwart the efforts of those who produce and distribute these 
deceptive programs, and to restoring choice and control back where it belongs — in 
the hands of consumers. 
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Mr. Stearns. I thank you for your demonstration. 

Mr. David Baker, who is Vice President, Law and Public Policy 
with Earthlink. We welcome you. 

STATEMENT OF DAVID N. BAKER 

Mr. Baker. Mr. Chairman Stearns, Ranking Member 
Schakowsky, ladies and gentlemen of the committee, thank you for 
inviting me here today. I’m Dave Baker, Vice President for Law 
and Public Policy with Earthlink, headquartered in Atlanta. 
Earthlink is the Nation’s third largest internet service provider, 
serving over 5 million customers nationwide with dial-up, 
broadband, web posting and wireless internet services. 

Earthlink is always striking to improve its customers online ex- 
perience. To that end, we appreciate the attention this committee 
is paying to the growing problem of spyware. We may be at the 
point in time with regard to the development and proliferation of 
spyware that we were just a year or 2 ago with spam. In other 
words, spyware is just now being noticed by many consumers, yet 
threatens to grow to the point where it could soon compromise 
their online experience and security if it does not do so already. 

As the Wall Street Journal noted just this past Monday, April 26, 
“indeed spyware, small programs that install themselves on com- 
puters to serve up advertising, monitor web surfing and other com- 
puter activities and carry out other orders is quickly replacing 
spam as the online annoyance computer users most complain 
about.” 

Also like spam, we must fight spyware on several fronts, using 
legislation, enforcement, customer education and technology solu- 
tions. To this end, we applaud the efforts of Congresswoman Bono, 
Congressman Towns, other members and this committee to intro- 
duce legislation such as H.R. 2929, the Safeguard Against Privacy 
Invasions or SPI Act, prohibiting the installation of software with- 
out consent, requiring uninstall capability, establishing require- 
ments for transmission pursuant to license agreements and requir- 
ing notices for collection of personally identifiable information, in- 
tent to advertise, and modification of user settings are all steps 
that will empower consumers and keep them in control of their 
computers and their online experience. 

As a leading internet provider, EarthLink is on the front lines in 
combating spyware. EarthLink makes available to both its cus- 
tomers and the general public technology solutions to spyware such 
as EarthLink Spy Audit powered by Webroot. Spy Audit is a free 
service that allows users to quickly examine his or her computer 
and detect spyware. A free download of Spy Audit is available at 
our website and a screen shot of this web page is attached as Ex- 
hibit A to my testimony. EarthLink members also have access to 
Spyware Blocker which disabled all common forms of spyware in- 
cluding adware, system monitors, key loggers and Trojans. 
EarthLink Spyware Blocker is available free for EarthLink mem- 
bers as a part of Total Access 2004, our internet access software 
and a screen shot with information on Spyware Blocker is attached 
as Exhibit B to my testimony. 

We include useful tools such as spamBlocker, Pop-Up Blocker, 
Virus Blocker, Privacy Tools and Parental Controls in addition to 
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Spyware Blocker and we will soon be introducing Scam Blocker 
which will help users detect and avoid nefarious fisher sites. 

On April 15, 2004, EarthLink and Webroot announced the re- 
sults of their Spyware Audit report. Over 1 million Spy Audit scans 
performed from January 1 through March 31st of this found over 
29.5 million instances of spyware. This represents almost 28 in- 
stances of spyware per scanned PC. While approximately 23.8 mil- 
lion of these installations were mostly harmless adware cookies, 
the scans revealed over 5.3 million installations of adware and 
more seriously, over 184,000 system monitors, and almost 185,000 
Trojans. A copy of the EarthLinkAVebroot press release detailing 
these findings is attached as Exhibit C to my testimony. 

Spyware is thus a growing problem that demands the attention 
of Congress, the FTC, consumers and industry alike. Through the 
efforts of Congress to introduce legislation like the SPI Act, the 
FTC to investigate the issue at its recent spyware workshop and 
through industry development of anti-ware tools, we can all help 
protect consumers against a threat that is often unseen, but very 
much real. 

Thank you for having me here today. 

[The prepared statement of David N. Baker follows:] 

Prepared Statement of David N. Baker, VP, Law & Public Policy, EarthLink, 

Inc. 

Mr. Chairman, Ladies and Gentlemen of the Committee, thank you for inviting 
me here today. 1 am Dave Baker, Vice President for Law and Public Policy with 
EarthLink. Headquartered in Atlanta, EarthLink is the nation’s 3rd largest Internet 
Service Provider (ISP), serving over 5 million customers nationwide with dial-up, 
broadband (DSL, cable and satellite), web hosting and wireless Internet services. 
EarthLink is always striving to improve its customers’ online experience. To that 
end, we appreciate the attention this committee is paying to the growing problem 
of spyware. 

Spyware: The Next Spam? 

We may be at a point in time with regard to the development and proliferation 
of sp 3 rware that we were just a year or two ago with spam. In other words, spyware 
is just now being noticed by many consumers yet threatens to grow to the point 
where it could soon compromise their online experience and security, if it does not 
do so already. 

As the Wall Street Journal noted just this past Monday, April 26, “Indeed, 
sp 3 rware — small programs that install themselves on computers to serve up adver- 
tising, monitor Web surfing and other computer activities, and carry out other or- 
ders — is quickly replacing spam as the online annoyance computer users most com- 
plain about.” 

Also like spam, we must fight spyware on several fronts, using legislation, en- 
forcement, customer education and technology solutions. To this end, we applaud 
the efforts of Congress and this committee to introduce legislation such as H.R. 
2929, the Safeguard Against Privacy Invasions (SPI) Act. Prohibiting the installa- 
tion of software without consent, requiring uninstall capability, establishing require- 
ments for transmission pursuant to license agreements, and requiring notices for 
collection of personally identifiable information, intent to advertise and modification 
of user settings are all steps that will empower consumers and keep them in control 
of their computers and their online experience. 

EarthLink Experience 

As a leading Internet provider, EarthLink is on the front lines in combating 
sp 3 rware. EarthLink makes available to both its customers and the general public 
technology solutions to spyware such as EarthLink Spy Audit powered by Webroot 
(“Spy Audit”). Spy Audit is a free service that allows a user to quickly examine his 
or her computer and detect spyware. A free download of Spy Audit is available at 
www.earthhnk.net/spyaudit. (See Exhibit A, attached hereto.) EarthLink members 
also have access to EarthLink Spyware Blocker, which disables all common forms 
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of spyware including adware, system monitors, key loggers and Trojans. EarthLink 
Spyware Blocker is available free for EarthLink members as part of Total Access 
2004, our Internet access software. See www.earthlink.net/home/software/spyblocker 
(Exhibit B, attached hereto). 

Total Access 2004 includes useful tools such as spamBlocker, Pop-Up Blocker, 
Virus Blocker, Privacy Tools and Parental Controls in addition to Spyware Blocker. 

On April 15, 2004, EarthLink and Webroot announced the results of their Spy 
Audit report. Over 1 million Spy Audit scams performed from January 1, 2004 to 
March 31, 2004 found over 29,500,000 instances of spyware. This represents almost 
28 instances of spyware per scanned PC. While approximately 23.8 million of these 
installations were mostly harmless adware cookies, the scans revealed over 5.3 mil- 
lion installations of adware, and more seriously, over 184,000 system monitors, and 
almost 185,000 Trojans. A copy of the EarthLink/Webroot press release detailing 
these findings is attached hereto as Exhibit C. 

Conclusion 

Spyware is thus a growing problem that demands the attention of Congress, the 
FTC, consumers and industry alike. Through the efforts of Congress to introduce 
legislation like the SPI Act, the FTC to investigate the issue at its recent spyware 
workshop, and through industry development of anti-spyware tools, we can all help 
protect consumers against a threat that is often unseen, but very much real. 

Thank you for your time today. 

Mr. Stearns. I thank the gentleman. I’m going to go to the Hon- 
orable Mozelle Thompson, Commissioner, Federal Trade Commis- 
sion and welcome you. 

STATEMENT OF HON. MOZELLE W. THOMPSON 

Mr. Thompson. Thank you, Mr. Chairman and Ranking Member 
Schakowsky, members of the committee and subcommittee. It’s 
good to see you. 

As you know. I’m Commissioner at the FTC and I wish to thank 
the committee for holding this hearing on the important subject of 
spyware. I also appreciate the opportunity to appear before you 
today. 

As you know — well, first, let me begin by telling you the views 
I express here are my own and not necessarily those of the Com- 
mission. 

As you know, the FTC has long been involved with internet 
issues like online privacy, identity theft, cross border fraud and 
spam. And our experience has given us a unique vantage point to 
view developments in the consumer marketplace and identify 
issues that warrant public attention. 

Last week, the Commission held a 1-day public workshop on one 
of those topics, the distribution and effects of software commonly 
referred to as spyware. We began our workshop by asking partici- 
pants to define what spyware is. As the chairman noted, spyware 
commonly refers to software that essentially monitors consumers’ 
computing habits and as such, it necessarily raises privacy issues. 
This software can offer consumers and businesses various benefits, 
including a streamline interactive online experience and updates 
and can allow businesses to more effectively communicate with 
their customers. However, spyware can also be used as secret soft- 
ware that surreptitiously gathers information and transmits it to 
third parties without the subject’s knowledge or consent. Some- 
times these uses can result in identity theft and other types of 
fraud and in some cases can interfere with the computer’s oper- 
ability. 
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These activities undermine consumer confidence in the market- 
place and can also impose extra costs on good actors who are forced 
to compete against those willing to engage in deception, fraud or 
worse. 

I used our workshop as an opportunity to challenge industry to 
promptly develop a set of best practices with respect to spyware. 
These practices should contain several critical elements including 
meaningful notice and choice so the consumers can make informed 
decisions about whether or not they wish to deal with an online 
business that uses monitoring spyware or partners with companies 
that do. 

I also asked industry to develop a public campaign to educate 
consumers and businesses about what spyware is and how it oper- 
ates. This public campaign should also discuss the array of techno- 
logical tools that are available for consumer use. Finally, I called 
upon industry to establish a mechanism that will allow businesses 
and consumers to maintain a continuing dialog on how government 
can take action against those who do wrong and undermine con- 
sumer confidence through the misuse of spyware. 

Now some Members of Congress, including Representative Bono 
and Towns, are calling for spyware legislation. I commend you for 
bringing important public attention to this issue. And I understand 
the desire to take action before the problems associated with 
spyware grow worse and injure more consumers and businesses, 
but I do not believe legislation is the answer at this time. 

Instead, I respectfully submit that we should give industry an 
opportunity to respond to my challenge. My experience working on 
issues like online privacy and spam tells me that in approaching 
such problems any solution must at the very least be based on 
transparency, adequate notice and consumer choice. So I’ve used 
my challenge as a way to set out what I consider to be the critical 
elements that should form a baseline for any industry response. If 
the self-regulatory response is not timely or is inadequate, another 
perhaps legislative approach might be appropriate. 

In any event, whatever is done in this area should work in con- 
junction with existing laws like the FTC Act which allows the Com- 
mission to take action against deceptive or unfair practices. 

I make this suggestion with some circumspection, recognizing 
that there are many who would like Congress to act now. But ab- 
sent a comprehensive data privacy law in the United States and 
recognizing the challenge posed by defining spyware because it has 
beneficial and not beneficial uses, I believe that self-regulation, 
combined with enforcement of existing laws will help address many 
of the issues raised in this area. 

I am also aware that States might be anxious to legislate here, 
but I ask them to be cautious as well because a patchwork of dif- 
fering and inconsistent State approaches might be confusing to in- 
dustry and consumers alike. 

Now finally, as I mentioned, spyware raises important privacy 
concerns and several years ago I appeared before Congress and 
suggested that a Federal law incorporating fair information prac- 
tices might be an acceptable legislative response. I believe it may 
still be, but I don’t think it will be the most effective in addressing 
the problems posed by spyware. 
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For the time being, however, a strong, responsible and prompt 
industry self-regulatory response may provide an effective solution 
for the problems that spyware poses for both consumers and indus- 
try. 

Thank you very much. 

[The prepared statement of Hon. Mozelle W. Thompson follows:] 

Prepared Statement of The Federal Trade Commission 

Mr. Chairman and members of the Committee, the Federal Trade Commission 
(“Commission” or “FTC”) appreciates this opportunity to provide the Commission’s 
views on “spyware.” ' 

The FTC has a broad mandate to prevent unfair competition and unfair or decep- 
tive acts or practices in the marketplace. Section 5 of the Federal Trade Commission 
Act gives the agency the authority to challenge acts and practices in or affecting 
commerce that are unfair or deceptive.^ The Commission’s law enforcement activi- 
ties against unfair or deceptive acts and practices are generally designed to promote 
informed consumer choice. This statement will discuss the FTC’s activities related 
to spyware, including our recent workshop and potential law enforcement actions. 

FTC spyware workshop 

For nearly a decade, the FTC has addressed online privacy and security issues 
affecting consumers. Through a series of workshops and hearings, the Commission 
has sought to understand the online marketplace and its information practices, to 
assess the impact of these practices on consumers, and to challenge industry leaders 
to develop and implement meaningful self-regulatory programs.^ 

The most recent example of this approach is the workshop entitled “Monitoring 
Software on Your PC: Spyware, Adware, and Other Software” that was held last 
week. The workshop was designed to provide us with information about the nature 
and extent of problems related to spyware, and possible responses to those prob- 
lems. Specifically, the workshop focused on four main topics: (1) defining “spyware” 
and exploring how it is distributed (including the role of peer-to-peer file-sharing 
software and whether spyware may differ from “adware”); (2) examining spyware’s 
general effects on consumers and competition; (3) exploring spyware’s potential se- 
curity and privacy risks; and (4) identifying technological solutions, industry initia- 
tives, and governmental responses (including consumer education) related to 
sp 3 rware. Underscoring the importance of this issue both FTC Commissioners Orson 
Swindle and Mozelle Thompson personally participated in the workshop. 

To encourage broad-based participation, the FTC issued a Federal Register Notice 
announcing the workshop and requesting public comment."* The Commission re- 
ceived approximately 200 comments, and the record will remain open until May 21, 
2004, for submission of additional comments. At the workshop, a wide range of pan- 
elists engaged in a spirited debate concerning spyware, including what government, 
industry, and consumers ought to do to respond to the risks associated with 
sp3rware. 

Although the agency is continuing to receive information on this important issue, 
the record at the workshop leads to some preliminary conclusions. First, perhaps the 
most challenging task is to carefully and clearly define the issue. “Spyware” is an 
elastic and vague term that has been used to describe a wide range of software.^ 
Some definitions of spyware could be so broad that they cover software that is bene- 
ficial or benign; software that is beneficial but misused; or software that is just 
poorly written or has inefficient code. Indeed, there continues to be considerable de- 
bate regarding whether “adware” should be considered spyware. Given the risks of 


* The written statement presents the views of the Federal Trade Commission. Oral statements 
and responses to questions reflect the views of the speaker and do not necessarily reflect the 
views of the Commission or any other Commissioner. 

2 15 U.S.C. §45. 

2 See, e.g.. Workshop: Technologies for Protecting Personal Information, The Consumer Experi- 
ence (May 14, 2003); Workshop: Technologies for Protecting Personal Information, The Business 
Experience (June 4, 2003); Consumer Information Security Workshop (May 20, 2002). 

■*69 Fed. Reg. 8538 (Feh. 24, 2004), <www.ftc.gov/os/2004/02/ 

5 For the purposes of the workshop, the FTC Staff tentatively described spyware as “software 
that aids in gathering information about a person or organization without their knowledge and 
which may send such information to another entity without the consumer’s consent, or asserts 
control over a computer without the consumer’s knowledge.” 69 Fed. Reg. 8538 (Feb. 24, 2004), 
<www.ftc.gOv/os/2004/02/ 
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defining spyware too broadly, some panelists at our workshop argued that the more 
prudent course is to focus on the harms caused by misuse or abuse of software rath- 
er than on the definition of spyware. 

Panelists described a number of harms caused by spyware. These include inva- 
sions of privacy, security risks, and functionality problems for consumers. For exam- 
ple, sp3rware may harvest personally identifiable information from consumers 
through monitoring computer use without consent. Spyware also may facilitate iden- 
tity theft by surreptitiously planting a keystroke logger on a consumer’s personal 
computer. It may create security risks if it exposes communication channels to hack- 
ers. Spyware also may adversely affect the operation of personal computers, includ- 
ing slowing processing time and causing crashes, browser hijacking, home page re- 
setting, installing dialers, and the like. These harms are problems in themselves, 
and could lead to a loss in consumer confidence in the Internet as a medium of com- 
munication and commerce. 

Many of the panelists discussed how spyware may cause problems for businesses. 
Companies may incur costs as they seek to block and remove spyware from the com- 
puters of their employees. Employees will be less productive if spyware causes their 
computers to crash or they are distracted from their tasks by a barrage of pop-up 
ads. Spyware that captures the keystrokes of employees could be used to obtain 
trade secrets and other confidential information from businesses. In addition, rep- 
resentatives from companies such as ISPs, PC manufacturers, anti-virus providers, 
and an operating system manufacturer indicated that they spend substantial re- 
sources responding to customer inquiries when PCs or Internet browsers do not 
work as expected due to the presence of sp3rware. As such, these companies also 
may suffer injury to their reputations and lose good will. 

Because of the relatively recent emergence of sp3rware, there has been little em- 
pirical data regarding the prevalence and magnitude of these problems for con- 
sumers and businesses. Given how broadly sp3rware can be distributed and the se- 
verity of some of its potential risks, government, industry, and consumers should 
treat the threats to privacy, security, and functionality posed by spyware as real 
and significant problems. 

At the workshop, we heard that substantial efforts are currently underway to ad- 
dress spyware. Industry is deploying new technologies as well as distributing edu- 
cational materials to assist consumers in addressing the problems associated with 
sp3rware. Similarly, at the workshop, industries involved with the dissemination of 
software reported that they are developing best practices. 

Consumers and businesses are becoming more aware of the capabilities of 
sp3rware, and they are responding by installing anti-spyware products and taking 
other measures to minimize these risks. Government and industry-sponsored edu- 
cation programs, and industry self-regulation, could be instrumental in making 
users more aware of the risks of spyware, thereby assisting them in taking actions 
to protect themselves (such as running anti-spyware programs).® 

FTC LAW ENFORCEMENT 

As the nation’s primary consumer protection agency, the Commission also has a 
law enforcement role to play in connection with unfair or deceptive acts or practices 
involved in the distribution or use of spyware.'^ At the workshop, FTC and DOJ staff 
members noted that many of the more egregious spyware practices described at the 
workshop may be subject to attack under existing Federal and State laws, and the 
workshop concluded with a request that industry and consumer groups notify the 
FTC staff of problematic practices. 

The Commission is conducting non-public investigations related to the dissemina- 
tion of spyware. As discussed at the workshop, however, investigating and pros- 
ecuting acts and practices related to spyware, particularly the more pernicious pro- 
grams, pose substantial law enforcement challenges. Given the surreptitious nature 
of spyware, it often is difficult to ascertain from whom, from where, and how such 
products are disseminated. Consumer complaints, for instance, are less likely to lead 


6 Panelists at the workshop noted that consumers need to be very careful to obtain anti- 
spyware programs from legitimate providers because some purported anti-spyware programs in 
fact disseminate spyware. 

"^The Commission will find deception if there is a material representation, omission, or prac- 
tice that is likely to mislead consumers acting reasonably in the circumstances, to their det- 
riment. See Federal Trade Commission, Deception Policy Statement, appended to Cliffdale 
Assocs., Inc., 103 F.T.C. 110, 174 (1984) (“Deception Statement”). An act or practice is “unfair” 
if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed 
by any countervailing benefits to consumers and competition, and consumers could not have rea- 
sonably avoided the injury. 15 U.S.C. § 45(n). 
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directly to targets than in other law enforcement investigations, because consumers 
often do not know that spyware has caused the problems or, even if they do, they 
may not know the source of the spyware.® Indeed, computer manufacturers stated 
at our workshop that they believe an increasing number of service calls are 
sp 3 rware-related and spyware-related issues are difficult to diagnose. Similarly, 
search engine providers testified that consumers complain to them, not realizing 
that the spyware (not the search engine) is causing their dissatisfaction with their 
search engine. 

The Commission has long been active in challenging unfair or deceptive acts or 
practices on the Internet, and spyware cases are not fundamentally different. Over 
the course of nearly a decade, we have brought approximately 300 cases challenging 
Internet practices involving substantial consumer harms, including harms similar to 
those posed by some examples of spyware. 

Most recently, in D Squared Solutions, LLC, the defendants allegedly exploited an 
operating system feature to harm consumers. The Windows operating system uses 
“Messenger Service” windows to allow network administrators to provide instant in- 
formation to network users, for example, a message to let users know that a print 
job has been completed. The defendants in D Squared exploited this feature to send 
Messenger Service pop-up ads to consumers, advertising software that supposedly 
would block such ads in the future. Consumers would receive these pop-up ads as 
often as every ten minutes. The Commission filed a complaint in federal court alleg- 
ing that the defendants unfairly interfered with consumers’ use of their computers 
and tried to coerce consumers into buying software to block pop-up ads.^ 

The Commission brought several cases challenging the surreptitious distribution 
of dialer programs. A paper submitted at the workshop by the Computer Software 
Working Group identified surreptitious downloads as an example of one of the 
problematic practices of some spjrware programs. Past Commission actions have at- 
tacked similar programs that secretly disconnect consumers from their Internet 
Service Providers, reconnect them to another network, and charge them exorbitant 
fees for long distance telephone service or entertainment services delivered over the 
telephone line." We also have challenged the practice of “pagejacking” consumers 
and then “mousetrapping” them at pornographic web sites." These cases dem- 
onstrate that the Commission has the authority under Section 5 of the FTC Act to 
take action to prevent harms to consumers similar to those that spyware allegedly 
causes. 


CONCLUSION 

Spyware appears to be a new and rapidly growing practice that poses a risk of 
serious harm to consumers. The Commission is learning more about this practice, 
so that government responses to spyware will be focused and effective. We are con- 
tinuing to pursue law enforcement investigations. The FTC thanks this Committee 
for focusing attention on this important issue, and for giving us an opportunity to 
present the preliminary results from our workshop. We look forward to further dis- 
cussions with the Subcommittee on this issue. 

Mr. Stearns. Thank you, Commissioner. Mr. Howard Beales, Di- 
rector of Bureau of Consumer Protection. 

STATEMENT OF HON. J. HOWARD BEALES HI 

Mr. Beales. Thank you, Mr. Chairman, and members of the sub- 
committee. I’d like to thank you for providing the Federal Trade 
Commission with this opportunity to submit testimony. The writ- 


® Identifying the source of spyware is especially difficult when consumers were not even aware 
that the spyware had been installed. 

^FTC V. D Squared Solutions, LLC, No. 03-CV-3108 (D. Md. 2003). The case is currently in 
litigation. 

The Consumer Software Working Group is comprised of public interest groups, software 
companies, Internet Service Providers, hardware manufacturers, and others. Available at <http:/ 
/www.cdt.org/privacy/spyware/2 

11 See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 (N.D. Ga. 2003); FTC v. BTV 
Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 2003); FTC v. Anderson, No. C00-1843P (W.D. 
Wash. 2000); FTC v. RJB Telcom, Inc., No. 002017 PHX EHC {D. Az. 2000); FTC v. Sheinkin, 
No. 2-00-3636 18 (D.S.C. 2000); FTC v. Verity Int’l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 
2000); FTC v. Audiotex Connection, Inc., No. CV-97-00726 (E.D.N.Y. 1997); see also Beylen 
Telecom, Ltd., FTC Docket No. C-3782 (final consent Jan. 23, 1998). 

i^See, e.g., FTC v. Zuccarini, No. Ol-CV-4854 (E.D. Pa. 2002); FTC v. Carlos Pereira d/b/a 
atariz.com, No. 99-1367-A (E.D.N.Y. 1999). 
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ten testimony represents the views of the Federal Trade Commis- 
sion and my oral comments do not necessarily reflect the views of 
the Commission or any individual Commissioner. 

We’re here today to discuss spyware, a subject of growing con- 
cern to consumers. Loosely defined, spyware is software that aids 
in gathering information about a person or organization without 
their knowledge and it may send such information to another enti- 
ty without the consumers consent. Other spyware may assert con- 
trol over a computer without the consumer’s knowledge. 

As in many cases of the new internet issues, the question is how 
to proceed against practices that are clearly abusive without inter- 
fering with the benefits that the internet provides to consumers. As 
Commissioner Thompson has described, we’ve accomplished this 
task through a series of workshops and hearings where the Com- 
mission has sought to understand the online marketplace and its 
information practices, to assess the impact of these practices on 
consumers, and to challenge industry leaders to deal with con- 
sumers in a straight forward and responsible manner. 

Our most recently application of this approach was last week’s 
workshop, monitoring software on your PC, spyware, adware and 
other software. It seems clear from the workshop’s discussion that 
spyware may harvest personally identifiable information from con- 
sumers through monitoring computer use without consent. It also 
may facilitate identity theft by surreptitiously planting a keystroke 
logger on a user’s personal computer. Spyware may create security 
risks if it exposes communications’ channels to hackers. It also may 
affect the operation of personal computers, causing crashes, brows- 
er hijacking, home page resetting and the like. 

These harms are problems in themselves and could lead to a loss 
in consumer confidence in the internet as a medium of communica- 
tion and commerce. 

Second, many of the panelists discussed how spyware may cause 
problems for businesses too. Companies may incur costs as they 
seek to block and remove spyware from computers of their employ- 
ees or their customers. Employees will also be less productive if 
spyware causes their computers to crash or if they’re distracted 
from their tasks by a barrage of popup ads. Spyware that captures 
the keystrokes of employees could be used to obtain trade secrets 
and confidential information from businesses. 

We also heard that substantial efforts are currently underway to 
address spyware. In response to market forces, industry is devel- 
oping and deploying new technologies to assist consumers. Con- 
sumers and businesses are becoming more aware of the risks of 
spyware and they’re responding by installing anti-spyware products 
and other measures. Certain industry representatives indicated 
that they would explore best practices and consumer education on 
issues related to spyware. All of these efforts are very encouraging. 

Another key theme of our workshop was the need to define the 
problem carefully and clearly. Defining a class of software that 
causes problems is a difficult task. Spyware is an elastic and vague 
term that’s been used to describe a wide range of software. A vague 
definition of software could be so broad that it covers software that 
is beneficial or benign, software that is harmful, software that is 
beneficial or benign, but misused, and software that is just poorly 
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written or inefficient code. Such imprecise definitions would treat 
these types of software in the same manner. We need to determine 
whether there is a definable class of software that can truly be 
called spyware. 

The easiest way to start drawing lines is through case by case 
law enforcement. The Commission has law enforcement authority 
to challenge unfair or deceptive practices involved in the distribu- 
tion or use of spyware. At the workshop, FTC and DOJ staff mem- 
bers noted that many of the more egregious spyware practices de- 
scribed at the workshop are subject to attack under existing Fed- 
eral and State laws including Section 5 of the FTC Act. 

We have nonpublic investigations related to the dissemination of 
spyware. However, investigating and prosecuting acts and practices 
related to spyware, particularly the more pernicious programs pose 
law enforcement challenges. Given the surreptitious nature of 
spyware, it is often difficult to ascertain from whom, from where 
and how such products are dissemination. Consumer complaints 
are less likely to lead directly to targets that are in other law en- 
forcement investigations because consumers often do not know that 
spyware has caused their problems. Even if they do, they may not 
know the source of the spyware. 

Despite the obstacles, the FTC has been active in taking action 
against internet practices involving consumer injury similar to 
those caused by spyware. For example, we’re currently litigating 
against defendants who exploited allegedly an operating system 
feature to send incessant messenger service popup ads to con- 
sumers. It advertised software that supposedly would block such 
ads in the future. We filed a complaint, alleging that the defend- 
ants unfairly interfered with consumers’ use of their computers and 
tried to coerce consumers into buying software to block the popup 
ads. 

And we brought several cases challenging the surreptitious dis- 
tribution of dialer programs. These programs secretly disconnect 
consumers from their ISPs, reconnect them to another network and 
then charge exorbitant fees for long-distance telephone service or 
entertainment services delivered over the telephone line. 

We’ve also challenged the practice of page-jacking and then 
mouse-trapping consumers at pornographic websites. And the prac- 
tice of bombarding consumers with an endless sequence of popup 
ads. We have the legal tools necessary to address bad practices. 

We continue to remain vigilant and eager to take action against 
those who are engaged in bad practices, and we’ve asked industry 
and consumer groups to notify the FTC staff of problematic prac- 
tices. We are, as we said at the workshop, taking names. 

Thank you and I look forward to answering any questions that 
you may have. 

[The prepared statement of Hon. J. Howard Beales III follows:] 
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Prepared Statement of The Federal Trade Commission 

Mr. Chairman and members of the Committee, the Federal Trade Commission 
(“Commission” or “FTC”) appreciates this opportunity to provide the Commission’s 
views on “spyware.” ' 

The FTC has a broad mandate to prevent unfair competition and unfair or decep- 
tive acts or practices in the marketplace. Section 5 of the Federal Trade Commission 
Act gives the agency the authority to challenge acts and practices in or affecting 
commerce that are unfair or deceptive.^ The Commission’s law enforcement activi- 
ties against unfair or deceptive acts and practices are generally designed to promote 
informed consumer choice. This statement will discuss the FTC’s activities related 
to spyware, including our recent workshop and potential law enforcement actions. 

FTC spyware workshop 

For nearly a decade, the FTC has addressed online privacy and security issues 
affecting consumers. Through a series of workshops and hearings, the Commission 
has sought to understand the online marketplace and its information practices, to 
assess the impact of these practices on consumers, and to challenge industry leaders 
to develop and implement meaningful self-regulatory programs.^ 

The most recent example of this approach is the workshop entitled “Monitoring 
Software on Your PC: Spyware, Adware, and Other Software” that was held last 
week. The workshop was designed to provide us with information about the nature 
and extent of problems related to spyware, and possible responses to those prob- 
lems. Specifically, the workshop focused on four main topics: (1) defining “spyware” 
and exploring how it is distributed (including the role of peer-to-peer file-sharing 
software and whether spyware may differ from “adware”); (2) examining spyware’s 
general effects on consumers and competition; (3) exploring spyware’s potential se- 
curity and privacy risks; and (4) identifying technological solutions, industry initia- 
tives, and governmental responses (including consumer education) related to 
sp 3 rware. Underscoring the importance of this issue both FTC Commissioners Orson 
Swindle and Mozelle Thompson personally participated in the workshop. 

To encourage broad-based participation, the FTC issued a Federal Register Notice 
announcing the workshop and requesting public comment."* The Commission re- 
ceived approximately 200 comments, and the record will remain open until May 21, 
2004, for submission of additional comments. At the workshop, a wide range of pan- 
elists engaged in a spirited debate concerning spyware, including what government, 
industry, and consumers ought to do to respond to the risks associated with 
sp3rware. 

Although the agency is continuing to receive information on this important issue, 
the record at the workshop leads to some preliminary conclusions. First, perhaps the 
most challenging task is to carefully and clearly define the issue. “Spyware” is an 
elastic and vague term that has been used to describe a wide range of software.^ 
Some definitions of spyware could be so broad that they cover software that is bene- 
ficial or benign; software that is beneficial but misused; or software that is just 
poorly written or has inefficient code. Indeed, there continues to be considerable de- 
bate regarding whether “adware” should be considered spyware. Given the risks of 
defining spyware too broadly, some panelists at our workshop argued that the more 
prudent course is to focus on the harms caused by misuse or abuse of software rath- 
er than on the definition of spyware. 

Panelists described a number of harms caused by spyware. These include inva- 
sions of privacy, security risks, and functionality problems for consumers. For exam- 
ple, spjrware may harvest personally identifiable information from consumers 
through monitoring computer use without consent. Spyware also may facilitate iden- 
tity theft by surreptitiously planting a keystroke logger on a consumer’s personal 
computer. It may create security risks if it exposes communication channels to hack- 


* The written statement presents the views of the Federal Trade Commission. Oral statements 
and responses to questions reflect the views of the speaker and do not necessarily reflect the 
views of the Commission or any other Commissioner. 

2 15 U.S.C. §45. 

2 See, e.g., Workshop: Technologies for Protecting Personal Information, The Consumer Experi- 
ence (May 14, 2003); Workshop: Technologies for Protecting Personal Information, The Business 
Experience (June 4, 2003); Consumer Information Security Workshop (May 20, 2002). 

"*69 Fed. Reg. 8538 (Feh. 24, 2004), <www.ftc.gov/os/2004/02/ 

5 For the purposes of the workshop, the FTC Staff tentatively described spyware as “software 
that aids in gathering information about a person or organization without their knowledge and 
which may send such information to another entity without the consumer’s consent, or asserts 
control over a computer without the consumer’s knowledge.” 69 Fed. Reg. 8538 (Feb. 24, 2004), 
<www.ftc.gOv/os/2004/02/ 
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ers. Spyware also may adversely affect the operation of personal computers, includ- 
ing slowing processing time and causing crashes, browser hijacking, home page re- 
setting, installing dialers, and the like. These harms are problems in themselves, 
and could lead to a loss in consumer confidence in the Internet as a medium of com- 
munication and commerce. 

Many of the panelists discussed how spyware may cause problems for businesses. 
Companies may incur costs as they seek to block and remove spyware from the com- 
puters of their employees. Employees will be less productive if spyware causes their 
computers to crash or they are distracted from their tasks by a barrage of pop-up 
ads. Spyware that captures the keystrokes of employees could be used to obtain 
trade secrets and other confidential information from businesses. In addition, rep- 
resentatives from companies such as ISPs, PC manufacturers, anti-virus providers, 
and an operating system manufacturer indicated that they spend substantial re- 
sources responding to customer inquiries when PCs or Internet browsers do not 
work as expected due to the presence of sp3rware. As such, these companies also 
may suffer injury to their reputations and lose good will. 

Because of the relatively recent emergence of sp3rware, there has been little em- 
pirical data regarding the prevalence and magnitude of these problems for con- 
sumers and businesses. Given how broadly sp3rware can be distributed and the se- 
verity of some of its potential risks, government, industry, and consumers should 
treat the threats to privacy, security, and functionality posed by spyware as real 
and significant problems. 

At the workshop, we heard that substantial efforts are currently underway to ad- 
dress spyware. Industry is deploying new technologies as well as distributing edu- 
cational materials to assist consumers in addressing the problems associated with 
sp3rware. Similarly, at the workshop, industries involved with the dissemination of 
software reported that they are developing best practices. 

Consumers and businesses are becoming more aware of the capabilities of 
spyware, and they are responding by installing anti-spyware products and taking 
other measures to minimize these risks. Government and industry-sponsored edu- 
cation programs, and industry self-regulation, could be instrumental in making 
users more aware of the risks of spyware, thereby assisting them in taking actions 
to protect themselves (such as running anti-spyware programs).® 

FTC LAW ENFORCEMENT 

As the nation’s primary consumer protection agency, the Commission also has a 
law enforcement role to play in connection with unfair or deceptive acts or practices 
involved in the distribution or use of spyware.’ At the workshop, FTC and DOJ staff 
members noted that many of the more egregious spyware practices described at the 
workshop may be subject to attack under existing Federal and State laws, and the 
workshop concluded with a request that industry and consumer groups notify the 
FTC staff of problematic practices. 

The Commission is conducting non-public investigations related to the dissemina- 
tion of spyware. As discussed at the workshop, however, investigating and pros- 
ecuting acts and practices related to spyware, particularly the more pernicious pro- 
grams, pose substantial law enforcement challenges. Given the surreptitious nature 
of spyware, it often is difficult to ascertain from whom, from where, and how such 
products are disseminated. Consumer complaints, for instance, are less likely to lead 
directly to targets than in other law enforcement investigations, because consumers 
often do not know that spyware has caused the problems or, even if they do, they 
may not know the source of the spyware.* Indeed, computer manufacturers stated 
at our workshop that they believe an increasing number of service calls are 
sp3rware-related and spyware-related issues are difficult to diagnose. Similarly, 
search engine providers testified that consumers complain to them, not realizing 


® Panelists at the workshop noted that consumers need to be very careful to obtain anti- 
spyware programs from legitimate providers because some purported anti-spyware programs in 
fact disseminate spyware. 

’The Commission will find deception if there is a material representation, omission, or prac- 
tice that is likely to mislead consumers acting reasonably in the circumstances, to their det- 
riment. See Federal Trade Commission, Deception Policy Statement, appended to Cliffdale 
Assocs., Inc., 103 F.T.C. 110, 174 (1984) (“Deception Statement”). An act or practice is “unfair” 
if it causes or is likely to cause substantial injury to consumers, that injury is not outweighed 
by any countervailing benefits to consumers and competition, and consumers could not have rea- 
sonably avoided the injury. 15 U.S.C. § 45(n). 

* Identifying the source of spyware is especially difficult when consumers were not even aware 
that the spyware had been installed. 
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that the spyware (not the search engine) is causing their dissatisfaction with their 
search engine. 

The Commission has long been active in challenging unfair or deceptive acts or 
practices on the Internet, and spyware cases are not fundamentally different. Over 
the course of nearly a decade, we have brought approximately 300 cases challenging 
Internet practices involving substantial consumer harms, including harms similar to 
those posed by some examples of spyware. 

Most recently, in D Squared Solutions, LLC, the defendants allegedly exploited 
an operating system feature to harm consumers. The Windows operating system 
uses “Messenger Service” windows to allow network administrators to provide in- 
stant information to network users, for example, a message to let users know that 
a print job has been completed. The defendants in D Squared exploited this feature 
to send Messenger Service pop-up ads to consumers, advertising software that sup- 
posedly would block such ads in the future. Consumers would receive these pop-up 
ads as often as every ten minutes. The Commission filed a complaint in federal 
court alleging that the defendants unfairly interfered with consumers’ use of their 
computers and tried to coerce consumers into bu 3 dng software to block pop-up ads.^ 

The Commission brought several cases challenging the surreptitious distribution 
of dialer programs. A paper submitted at the workshop by the Computer Software 
Working Group identified surreptitious downloads as an example of one of the 
problematic practices of some sp 3 rware programs. Past Commission actions have at- 
tacked similar programs that secretly disconnect consumers from their Internet 
Service Providers, reconnect them to another network, and charge them exorbitant 
fees for long distance telephone service or entertainment services delivered over the 
telephone line." We also have challenged the practice of “pagejacking” consumers 
and then “mousetrapping” them at pornographic web sites." These cases dem- 
onstrate that the Commission has the authority under Section 5 of the FTC Act to 
take action to prevent harms to consumers similar to those that spyware allegedly 
causes. 


CONCLUSION 

Spyware appears to be a new and rapidly growing practice that poses a risk of 
serious harm to consumers. The Commission is learning more about this practice, 
so that government responses to spyware will be focused and effective. We are con- 
tinuing to pursue law enforcement investigations. The FTC thanks this Committee 
for focusing attention on this important issue, and for giving us an opportunity to 
present the preliminary results from our workshop. We look forward to further dis- 
cussions with the Subcommittee on this issue. 

Mr. Stearns. I thank you. Mr. Ari Schwartz, Associate Director, 
Center for Democracy and Technology. 

Welcome. 


STATEMENT OF ARI SCHWARTZ 

Mr. Schwartz. Chairman Stearns, Ranking Member 
Schakowsky, members of the committee, thank you for inviting 
CDT to testify today. 

In November, we released our first report on the spyware issue 
entitled “Ghosts in our Machines.” At that same time we asked 
consumers to send us their concerns about specific spyware experi- 
ences. Since then hundreds have responded. 


^FTC V. D Squared Solutions, LLC, No. 03-CV-3108 {D. Md. 2003). The case is currently in 
litigation. 

The Consumer Software Working Group is comprised of public interest groups, software 
companies, Internet Service Providers, hardware manufacturers, and others. Available at <http:/ 
/www.cdt.org/privacy/spyware/20040419cswg.pdf> 

11 See, e.g., FTC v. Alyon Technologies, Inc., No. 1:03-CV-1297 (N.D. Ga. 2003); FTC v. BTV 
Indus., No. CV-S-02-0437-LRH-PAL (D. Nev. 2003); FTC v. Anderson, No. C00-1843P (W.D. 
Wash. 2000); FTC v. RJB Telcom, Inc., No. 002017 PHX EHC (D. Az. 2000); FTC v. Sheinkin, 
No. 2-00-3636 18 (D.S.C. 2000); FTC v. Verity Int’l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. 
2000); FTC v. Audiotex Connection, Inc., No. CV-97-00726 (E.D.N.Y. 1997); see also Beylen 
Telecom, Ltd., FTC Docket No. C-3782 (final consent Jan. 23, 1998). 

i^See, e.g., FTC v. Zuccarini, No. Ol-CV-4854 (E.D. Pa. 2002); FTC v. Carlos Pereira djb! 
a atariz.com. No. 99-1367-A (E.D.N.Y. 1999). 
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Spyware is clearly an issue of growing concern for internet users. 
As we document in our report, the worse practices that we’ve seen 
are often based on mutated practices of legitimate software compa- 
nies. Therefore, defining the term spyware has become difficult, if 
not impossible. 

The basic problem of spyware is that software being created to 
run on users’ computers, that they have no control over and do not 
want, including some software that passes on personal information 
about the computer user with their consent. CDT believes that in 
order to stop this growing problem, we will need to see action in 
three areas: enforcement of existing law, industry commitment to 
stopping bad practices, and legislation to protect privacy online. 

I will quicMy address each of these areas. It is CDT’s opinion 
that many of the worst practices that we have seen today in the 
spyware are already illegal under existing fraud statutes. For ex- 
ample, if a consumer walked into a store and the door was locked 
behind them and they were forced to buy a product, we would ex- 
pect law enforcement to do something about it. If hundreds of thou- 
sands of consumers were not allowed to leave a contract that they 
didn’t even know that they’d enter, we would expect consumer law 
enforcement agencies to do something. And if a third party were 
to tamper with consumers’ telephones in such a way that when 
they try to call Barnes and Noble they were instead connected to 
an adult book store, certainly we would expect law enforcement to 
be there. Yet, the online equivalent of each of these actions, online 
coercion, inability to uninstall or disable and host file overriding 
have not been a serious area of action for any law enforcement 
body to date. 

CDT worked with consumer groups and industry to help develop 
examples of unfair, deceptive and devious practices involving soft- 
ware. These examples are based on real cases where CDT believes 
that law enforcement should be focusing its efforts. That full docu- 
ment was included as part of my written testimony. 

Second, industry needs to do a better job of creating self-regu- 
latory structures for software. CDT is encouraged by the advances 
in the anti-software technology such as those discussed here today 
by EarthLink and Microsoft and the others discussed at the FTC 
workshop last week. As we have seen in the spam war, it’s very 
likely that as the anti-spyware technologies increase, the efforts of 
the spyware creators will undoubtedly double as well. 

Industry should go further and start to draw clear lines in the 
spectrum of current behaviors to begin to help consumers to distin- 
guish the good actors from the bad. A code of best practices could 
give consumers the information and ability that they need to make 
better decisions in the marketplace today. 

Last, CDT strongly believes that many of the privacy concerns 
with spyware, some of which fall out of the scope of legal protec- 
tions could be clearly addressed with the privacy law. 

As the chairman and the committee know, CDT has long argued 
that until we have a privacy law that addresses all of the basic fair 
information practices that privacy issues that we first saw 8 years 
ago with the collection of information via the web and then with 
cookies and then with spam and now with spyware will continue. 
And it will repeat again in new technologies in the future. 
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A privacy law would get a root concern, not the root concern, but 
at a root concern rather than trying to define and scope each new 
technology in a limiting way. Still, spyware may pose some unique 
challenges that are not covered in the areas that I’ve outlined. We 
commend Representative Bono and Representative Towns for their 
work and their early attempts to take on this difficult issue, yet we 
also recognize that it would be difficult to define spyware or even 
the broader category of software in a way that addresses the prob- 
lem without confining the market or accidentally legitimizing ques- 
tionable practices that fall outside of the scope of the legislation. 

CDT is committed to working with the committee as the efforts 
move forward and I look forward to answering all of your ques- 
tions. 

[The prepared statement of Ari Schwartz follows:] 

Prepared Statement of Ari Schwartz, Associate Director, Center for 
Democracy and Technology 

Chairman Sterns and Ranking Member Schakowsky, thank you for holding this 
hearing on spyware, an issue of growing concern for consumers and businesses 
alike. CDT is pleased to have the opportunity to participate. 

CDT is a non-profit, public interest organization dedicated to preserving and pro- 
moting privacy and other democratic values and civil liberties on the Internet. CDT 
has been widely-recognized as a leader in the policy debate about the issues raised 
by so-called “spyware” applications. ^ We have been engaged in the early legislative, 
regulatory, and self-regulatory efforts to deal with the spyware problem, and have 
been active in public education efforts through the press and our own grassroots 
network. 

A. Summary 

In our testimony today, we hope to address two questions: What is spyware? And 
how should we respond to it? 

In Section B of our testimony below, we attempt to help define and understand 
the spyware problem. CDT’s report “Ghosts in Our Machines: Background and Pol- 
icy Proposals on the ‘Spyware’ Problem,”^ released in November 2003, addresses 
this issue. The report describes the range of invasive software applications referred 
to as “spyware” and clarifies the privacy, transparency and user control issues 
raised by these rogue programs. 

Additionally, over the last six months, CDT has led discussions of a Consumer 
Software Working Group that includes leading members of the Internet industry, 
advertising companies, public interest groups and academics in order to identify ex- 
amples the worst practices that consumers are facing online. In our testimony today, 
we highlight some of the pertinent issues raised by the working group, summarize 
the findings of CDT’s report, and describe some of CDT’s subsequent research and 
ongoing efforts in these areas. 

In Section C, we turn to potential responses to the spyware problem. CDT sees 
three major areas where action is necessary to stem the disturbing trend toward a 
loss of control and transparency for Internet users: 


^ See, e.g., CDT’s “Campaign Against Spyware,” http://www.cdt.org/action/spyware/action (call- 
ing on users to report their problems with spyware to CDT; since November 2003, CDT has re- 
ceived over 250 responses). CDT’s Complaint and Request for Investigation, Injunction, and 
Other Relief, in the Matter of MailWiper, Inc., and Seismic Entertainment Productions, Inc., 
February 11, 2004 (available at http://www.cdt.org/privacy/20040210cdt.pdD. “Eye Spyware,” 
The Christian Science Monitor Editorial, April 21, 2004 [“Some computer-focused organizations, 
like the Center for Democracy and Technology, are working to increase public awareness of 
spyware and its risks. “The Spies in Your Computer,” New York Times Editorial, February 18, 
2004 (arguing that “Congress will miss the point (in spyware legislation) if it regulates specific 
varieties of spyware, only to watch the programs mutate into forms that evade narrowly tailored 
law. A better solution, as proposed recently by the Center for Democracy and Technology, is to 
develop privacy standards that protect computer users from all programs that covertly collect 
information that rightfully belongs to the user.”). John Borland, “Spyware and its discontents,” 
CNET.com, February 12, 2004. (“In the past few months, Ari Schwartz and the Washington, 
D.C. -based Center for Democracy andTechnology have leapt into the front ranks of the Net’s 
spyware-fighters.”) 

2 http://www.cdt.org/privacy/03 1 100spyware.pdf 
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1) Enforcement of existing laws could go a long way toward reducing the problem 

of spyware. While longstanding fraud statutes already cover many of the issues 
raised by these applications, currently they are rarely enforced against spyware 
programmers and distributors. 

2) Fundamental to the issue of spyware is the overarching concern about online 

Internet privacy. Legislation to address the collection and sharing of informa- 
tion on the Internet would resolve many of the privacy issues raised by 
spyware. If we do not deal with the broad Internet privacy concerns now, in the 
context of sp 3 rware, we will undoubtedly find ourselves confronted by them yet 
again when they are raised anew by some other, as yet unanticipated, tech- 
nology. 

3) To be effective, legislation and enforcement approaches will have to be carried 

out concurrently with better consumer education, industry self-regulation and 
the development of new anti-spyware technologies. 

We address each of these avenues in turn. 

B. Defining and Understanding “Spyware” and “Adware” 

“Spyware” has no precise definition. The term has been applied to everything from 
keystroke loggers, to advertising applications that track users’ web browsing, to web 
cookies, to programs designed to help provide security patches directly to users. 
“Spyware” programs can be installed on users’ computers in a variety of ways, and 
they can have widely differing functionalities. 

What these programs have in common is a lack of transparency and an absence 
of respect for users’ ability to control their own computers and Internet connections. 

While many programs that have been called “spyware” are advertising software, 
CDT has emphasized that there is nothing inherently objectionable about ad-sup- 
port as a business model. We highlight email applications, such as Eudora, that are 
successful and user-friendly examples of ad-supported software. 

However, in many cases, the revenue that these applications provide has given 
software distributors the incentive to push them onto users’ computers using decep- 
tive or fraudulent means. Ad-support can and must be implemented in a way that 
is transparent to users and respects their choices and privacy preferences. 

Distribution of Spyware 

“Spyware” programs can be distributed in a variety of ways. For example, they 
may be bundled with other free applications, including peer-to-peer file sharing ap- 
plications; they may be distributed through deceptive download practices; or they 
may be installed by exploiting security holes in the web browser or operating system 
on a user’s computer. In some cases, once one “spyware” application has gained ac- 
cess to a user’s computer, it will surreptitiously download and install other applica- 
tions. 

In each of these scenarios, users generally do not know that the software is being 
installed. And once these invasive applications are on a user’s computer they can 
be difficult or impossible to find and remove. 

Effects of Spyware 

As mentioned above, the overarching concerns raised by spyware applications are 
transparency and user control. Within these broad categories, spyware programs can 
raise a host of specific concerns. 

• These programs can change the appearance of websites, modify users’ “start” and 

“search” pages in their browsers, or change low level system settings. In our 
complaint to the FTC against MailWiper and Seismic Entertainment Produc- 
tions, filed in February, CDT asked the Commission to investigate one particu- 
larly egregious example of such “browser hijacking” behavior. 

• Spyware programs are also often responsible for significant reductions in com- 

puter performance and system stability. In many cases, consumers mistakenly 
assume that the problem is with another application or with their Internet pro- 
vider, placing a substantial burden on the support departments of providers of 
those legitimate applications and services. 

• Spyware programs can track users’ online activities. Some gather personally iden- 

tifiable information. The most egregious forms of spyware can capture all key- 
strokes, or record periodic screenshots from a user’s computer. 

• Even in cases where spyware programs transmit no personally identifiable infor- 

mation, their hidden, unauthorized appropriation of users’ computing resources 
and Internet connections threatens the security of computers and the integrity 
of online communications. The “auto-update” component of many of these appli- 
cations can create major new security vulnerabilities by including capabilities 
to automatically download and install additional pieces of code without noti- 
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fying users or asking for their consent, typically with minimal security safe- 
guards. 

CDT is currently conducting technical and public opinion research on the spyware 
issue. We hope to continue to report the results of this work to the Committee as 
we learn more. 

C. Possible Responses to Spyware Concerns 

Combating the most invasive spyware technologies will require a combination of 
approaches. First and foremost, vigorous enforcement of existing anti-fraud laws 
should result in a significant reduction of the spyware problem. 

Addressing the problem of spyware also offers an important opportunity to estab- 
lish in law baseline standards for privacy for online collection and sharing of data. 
Providing these protections would not only address the privacy concerns that cur- 
rent forms of spyware raise, but would put in place standards that would apply to 
future technologies that might challenge online privacy. Anti-sp 3 rware tools, better 
consumer education, and self-regulatory policies are also all necessary elements of 
a spyware solution. 

Legislation to establish standards for privacy, notice, and consent specifically for 
software, such as H.R.2929, currently before this Committee, may play an important 
role as well. The challenge to such efforts is in crafting language that effectively ad- 
dresses the spyware issue without unnecessarily burdening legitimate software de- 
velopers or unintentionally hindering innovation. 

So far the efforts to address the spyware issue are all in very preliminary stages. 
They will each require cooperation among government, private sector, and public in- 
terest initiatives. 

Enforcement of Existing Law 

CDT believes that three existing federal laws already prohibit many of the 
invasive or deceptive practices employed by malevolent software makers. Better en- 
forcement of these statutes could have an immediate positive effect on the spyware 
problem. 

Title 5 of the Federal Trade Commission Act is most directly applicable to the 
most common varieties of spyware. We believe that many of the more invasive forms 
of spyware discussed above clearly fall under the FTC’s jurisdiction over unfair and 
deceptive trade practices. Some of these practices are highlighted in the Appendix — 
the Consumer Software Working Group’s Examples of Unfair, Deceptive or Devious 
Practices Involving Software. To our knowledge, the FTC so far has not brought any 
major actions against spyware makers or spyware distributing companies. In Feb- 
ruary, CDT filed a complaint with the FTC against two companies for engaging in 
browser hijacking to display deceptive advertisements to consumers for software 
sold by one of the companies.^ 

We believe that one of the most immediate ways in which Congress could have 
a positive impact on the spyware problem is by directing the FTC to increase en- 
forcement against unfair and deceptive practices in the use or distribution of 
downloadable software and by providing increased resources for such efforts. 

Several laws besides the FTC Act may also have relevance. The Electronic Com- 
munications Privacy Act (ECPA), which makes illegal the interception of commu- 
nications without a court order or permission of one of the parties, may cover pro- 
grams that collect click-through data and other web browsing information without 
consent. The Computer Fraud and Abuse Act (CFAA) also applies to some uses of 
sp 3 rware. Distributing programs by exploiting security vulnerabilities in network 
software, co-opting control of users’ computers, or exploiting their Internet connec- 
tion can constitute violations of the CFAA, especially in cases where spyware pro- 
grams are used to steal passwords and other information. 

In addition to federal laws, many states have long-standing fraud statutes that 
would allow state attorneys general to take action against invasive or deceptive soft- 
ware. Like their federal counterparts, these laws Have not been strongly enforced 
to date. 

New Legislation 

CDT has argued that the most effective way to address the spyware problem 
through legislation is in the context of online privacy generally. Specifically, we be- 
lieve that the privacy dimension of spyware would best be addressed through base- 
line Internet privacy legislation that is applicable to online information collection 


^Complaint and Request for Investigation, Injunction, and Other Relief, in the Matter of 
MailWiper, Inc., and Seismic Entertainment Productions, Inc., February 11, 2004 (available at 
http://www.cdt.org/privacy/20040210cdt.pdf). 



52 


and sharing irrespective of the technology or application. CDT has advocated such 
legislation before the Senate Commerce Committee and in other fora. Until we ad- 
dress the online privacy concern, new privacy issues will arise as we encounter new 
online technologies and applications. 

Still, software may pose some unique problems. A comprehensive legislative solu- 
tion to spyware may need to address the user-control aspects of the issue such as 
piggybacking, and avoiding uninstallation. H.R. 2929 before this Committee rep- 
resents an important acknowledgement of several of these problems. We appreciate 
the desire to craft targeted legislation focusing on some of the specific problems 
raised by spyware, and CDT commends Representatives Bono and Towns for bring- 
ing attention to this important issue. 

At the same time, we wish to emphasize the complexity of such efforts. The broad 
industry opposition to an anti-spyware bill recently passed in the Utah legislature, 
based on potential unintended consequences of the bill for legitimate software com- 
panies, demonstrates the difficulties that can be introduced by such legislation if it 
is not carefully drafted. We know Representatives Bono and Towns have been look- 
ing hard at some of the specific definitional concerns raised by CDT and others, and 
we look forward to continuing to work with the Committee on this bill. 

Non-Regulatory Approaches 

Technology measures, self-regulation and user education must work in concert, 
and will be critical components of any sp 3 rware solution. Companies must do a bet- 
ter job of helping users understand and control how their computers and Internet 
connections are used, and users must become better educated about how to protect 
themselves from spyware. 

The first step is development of industry best practices for downloadable software. 
Although not all software manufacturers will abide by best practices, certification 
programs will allow consumers to quickly identify those that do and to avoid those 
that do not. In the current environment consumers cannot easily determine which 
programs post a threat, especially as doing so can involve wading through long and 
unwieldy licensing agreements. 

Technologies to deal with invasive applications and related privacy issues are in 
various stages of development. Several programs exist that will search a hard-drive 
for these applications and attempt to delete them. Some companies are experi- 
menting with ways to prevent installation of the programs in the first place. How- 
ever, even these technologies encounter difficulties in determining which applica- 
tions to block or remove. Clear industry best practices are crucial in this regard as 
well. 

Standards such as the Platform for Privacy Preferences (PSP) may also play an 
important role in technical efforts to increase transparency and provide users with 
greater control over their computers and their personal information. PSP is a speci- 
fication developed by the World Wide Web Consortium (WSC) to allow websites to 
publish standard, machine-readable statements of their privacy policies for easy ac- 
cess by a user’s browser. If developed further, standards like PSP could help facili- 
tate privacy best practices to allow users and anti-spyware technologies distinguish 
legitimate software from unwanted or invasive applications. 

The IT industry has initially been slow to undertake such efforts. However, in- 
creasing public concern about spyware and the growing burden placed on the pro- 
viders of legitimate software by these invasive applications has led to more industry 
attention on this front.^ The Consumer Software Working Group, including major 
Internet service providers, software companies, and hardware manufacturers, has 
expressed its view that this area is ripe for industry self-regulation and best prac- 
tices. 

CDT believes Congress can have an immediate positive impact by encouraging in- 
dustry to continue to follow through on these efforts. 

D. Conclusion 

Users should have control over what programs are installed on their computers 
and over how their Internet connections are used. They should be able to rely on 
a predictable web-browsing experience and to remove for any reason and at any 


See, e.g. , Earthlink press release: Earthlink Offers Free Spyware Analysis Tool to All Inter- 
net Users, January 14, 2004 (available at: http://www.earthlink.net/about/press/pr analysis/); 

America Online press release: America Online Announces Spyware Protection for Members, Jan- 
uary 6, 2004 (available at: http://media.aoltimewarner.com/media/newmedia/cb press view. 

cfm?release num=55253697); Microsoft press release: Battling ‘Spyware’: Debate Intensifies on 

Controlling Deceptive Programs, April 20, 2004 (available at: http://www.microsoft.com/ 
presspass/features/2004/apr04/04-20Spyware.asp) 
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time programs they don’t want. The widespread proliferation of invasive software 
applications takes away this control. 

Better consumer education, industry self-regulation, and new anti-spyware tools 
are all key to addressing this problem. New laws, if carefully crafted, may also have 
a role to play. Many spyware practices, however, are already illegal. Even before 
passing new legislation, existing fraud statutes should be robustly enforced against 
the distributors of these programs. 

The potential of the Internet will be substantially harmed if users come to believe 
that they cannot use the Internet without being at risk of infection from spyware 
applications. We must find creative ways to address this problem through law, tech- 
nology, public education and industry initiatives if the Internet is to continue to 
flourish. 

Appendix: Examples of Unfair, Deceptive or Devious Practices Involving 

Software 

consumer software working group 

The Consumer Software Working Group is a diverse community of public interest 
groups, software companies, Internet service providers, hardware manufacturers, 
and others that are seeking consensus responses to the concerns raised by practices 
that harm consumers. 

Over the past several years, a subset of computer software referred to as 
“spyware” has become the subject of growing public concern. Computer users in- 
creasingly find programs on their computers that they did not know were installed, 
that create risks to privacy, that open security holes, that impair the performance 
and stability of their systems, that frustrate their attempts to uninstall or disable 
the programs, or that lead them to mistakenly believe that these problems are the 
fault of another application or their Internet service provider. 

There is agreement that these practices can raise serious concerns. At the same 
time, the wide range of and lack of clarity in attempted definitions for the types 
of software practices that most concern consumers hamper attempts at self-regu- 
latory, technological and legislative responses. Many definitions of spyware in cir- 
culation today are either under-inclusive in important respects or, more commonly, 
overbroad so that they include practices that clearly benefit consumers, or both.^ 

The Center for Democracy and Technology convened the Consumer Software 
Working Group. Companies, public interest groups or academics interested in join- 
ing the Working Group should contact Ari Schwartz <ari@cdt.org>, Michael Steffen 
<msteffen@cdt.org>, or John Morris <jmorris@cdt.org> at the Center for Democracy 
and Technology. 

EXAMPLES OF UNFAIR, DECEPTIVE OR DEVIOUS PRACTICES INVOLVING SOFTWARE 

VERSION 1.0 

The Consumer Software Working Group is concerned about a specific set of devi- 
ous, deceptive or unfair practices that adversely affect consumers online. While the 
following list of examples is not nearly complete, it describes a series of activities 
and behaviors that the Group considers to be clearly objectionable. 

Specifically, the Group identifies three broad types of practices where abuses 
occur today. Most of these practices may be illegal under current law, depending on 
the specific facts of the particular case. Within each area, we offer illustrative exam- 
ples, based on real cases. We note that each of the objectionable behaviors we iden- 
tify has constructive consumer-friendly counterparts when carried out with proper 
notice and consent and in ways that give consumers control. Automatic installation, 
personalization and tracking, and in some cases resistance to uninstallation can pro- 
vide important benefits to consumers. 

We hope that this list of objectionable practices will help to focus technical, self- 
regulatory, regulatory and law enforcement efforts to protect consumers from inap- 
propriate activities in a more targeted and effective manner, while avoiding unin- 
tended negative consequences for good actors and consumers alike. The Working 
Group believes that this is an area that could be ripe for self-regulatory efforts to 
craft industry principles to protect consumers and the marketplace. 

1) Hijacking — The practices described in this section are objectionable to the ex- 
tent that they enable an unaffiliated person to use the user’s computer in a way 


5 For example, the Working Group observes that the current Utah law addresses practices in- 
volving software that most informed consumers would not consider unfair, deceptive or devious 
and fails to cover some practices that most informed consumers would consider unfair, deceptive 
or devious. 
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that ordinarily would not be expected. This may occur through an unnoticed pro- 
gram consuming the user’s computing resources or resetting a user’s existing con- 
figurations without the user’s knowledge, or through coercion or deception. 

Example: A computer user sees an Internet advertisement for Program A. 
The user clicks on the ad and is sent to a page that pops up a window asking 
if the user wants to download Program A. The user clicks “no,” but Program 
A is eventually downloaded and installed anyway. 

Example: A computer user sees an Internet advertisement for Product B. The 
user clicks on the advertisement, and is sent to a page that informs the user 
that “Program C is needed to view this Web page.” This leads the user to be- 
lieve that Program C is necessary to view the site about Product B, so the user 
clicks “yes” and the program is downloaded and installed. In fact. Program C 
is not necessary to view the website for Product B and the user is never in- 
formed of the actual reason why Program C was installed. 

Example: A computer user sees an Internet advertisement for Program D. 
The user clicks on the ad, and she is sent to a page that immediately pops up 
a window asking if she wants to download Program D. The user clicks “no.” 
This happens repeatedly until the user gets frustrated and clicks “yes.” 

Example: A computer user receives an Internet advertisement for Product E 
as part of a webpage he is looking at. Simply as a result of loading the ad. Soft- 
ware Program F wholly unrelated to Product E is downloaded onto the user’s 
computer. No notice or opportunity to consent to download Software Program 
F was provided. 

Example: While browsing the Internet, a computer user is offered the oppor- 
tunity to download and install Software Program G. Using a fraudulently ob- 
tained digital certificate, the download request falsely identifies Software Pro- 
gram G as being from the user’s trusted Internet Service Provider, H. In fact, 
the Program is not from Internet Service Provider H, and has no relation to the 
ISP. However, based on its claimed affiliation with H, the user agrees to let the 
program be downloaded and installed. 

Example: A computer user loads Company I’s Web page. The Web page opens 
another page running a java script. When the user closes Company I’s Web 
page, the java script page covertly resets the user’s homepage without obtaining 
consent. 

Example: A computer user loads Company J’s Web page. The Web page opens 
another page running a java script. When the user closes Company J’s Web 
page, the java script page covertly resets the user’s homepage. The java script 
is written such that any time the user attempts to reset his homepage, the pro- 
gram automatically resets it again so the user cannot reset his homepage to 
what it was before the hijacking took place. 

Example: A computer user downloads Software Package K. Among the pro- 
grams in Software Package K is a dialer application that was not mentioned 
in any advertisements, software licenses, or consumer notices associated with 
the package or in information provided in conjunction with the ongoing oper- 
ations of the package. The dialer application is not an integral part of Software 
Package K. When the user opens her Web browser after installation of Software 
Package K, the dialer opens in a hidden window, turns off the sound of the 
user’s computer, and calls a phone number without the user’s permission. 

Example: A computer user is sent Software Package L as an attachment to 
an unsolicited commercial email message. There is no documentation for Soft- 
ware Package L. Included in Software Package L is Program M that sends a 
message to Computer N. Computer N then uses Program M on the user’s com- 
puter as a means to send out unsolicited commercial emails. 

2) Surreptitious surveillance — The practices described in this section are objec- 
tionable to the extent that they involve intrusive and surreptitious collection and 
use of personally identifiable information about users that is wholly unrelated to the 
purpose of the software as described to the consumer. 

Example: A computer user downloads Software Package P. Software Package 
P contains a keystroke logger unrelated to any functions described to the user. 
The keystroke logger records all information input on the user’s computer and 
sends this information on to another computer user. The first user is not in- 
formed about the operation of the keystroke logger. 

Example: Program Q advertises itself as a search tool bar. A user downloads 
Program Q to gain the search functionalities. Program Q installs a tool bar, 
but — once installed — also mines the user’s registry and other programs for per- 
sonally identifiable information about the user unrelated to the search 
functionality and without informing the user or obtaining consent. When the 
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user connects to the Internet, Program Q sends this information back to the 
company that makes Program Q. 

3) Inhibiting termination — The practices described in this section are objection- 
able to the extent that they frustrate consumers’ efforts to remove a program, de- 
activate it or otherwise render it inoperative. Generally, these practices are intended 
to prevent the user from severing or terminating a relationship with the provider 
of the program. 

Example: A computer user downloads Software Package S. Software Package 
S contains Advertising Program T. Advertising Program T sends the user pop- 
up ads while the user is surfing the Web even if no other programs in Software 
Package S are running. The pop-up ads are not labeled as related to Advertising 
Program T or Software Package S in any way and there is no other way to find 
the ads’ origin. The user is concerned about the increase in pop-up ads, but does 
not know whether they are caused by Program T or are from the Web sites that 
he is visiting. The user has no means to find out the origin of the ads in order 
to make a decision about uninstalling Program T. 

Example: A computer user downloads Software Package U. As initially dis- 
closed to the user. Software Package U contains a mandatory program. Adver- 
tising Program V, which is bundled as a way to generate revenue and pay for 
the development of Software Package U only. When the user uninstalls Soft- 
ware Package U, the user is not given a clear opportunity to uninstall Program 
V at that time, and Advertising Program V stays on the user’s computer. 

Example: A computer user downloads Gaming Program W. The user wants 
to remove Gaming Program W from the computer. Gaming Program W does not 
have an uninstall program or instructions and does not show up in the standard 
feature in the user’s operating system that removes unwanted programs (as- 
suming this feature exists in the operating system). The user’s attempts to oth- 
erwise delete Program W are met by confusing prompts from Program W with 
misrepresentative statements that deleting the program will make all future op- 
erations unstable. 

Example: A computer user downloads Program X. The user wants to remove 
Program X from the computer. Program X appears in the standard feature in 
the user’s operating system that removes unwanted programs. However, when 
the user utilizes the “remove” option in the operating system, a component of 
Program X remains behind. The next time the user connects to the Internet, 
this component re-downloads the remainder of Program X and reinstalls it. 

The following companies, organizations and individuals have worked to describe 
Examples of Unfair, Deceptive and Devious Practices Involving Software. These de- 
scriptions can be used to help focus technical, self-regulatory, regulatory and law en- 
forcement efforts to protect consumers from inappropriate activities. 

America Online; Business Software Alliance; Center for Democracy and Tech- 
nology; Claria Corporation; Consortium of Anti-Spyware Technology Vendors; Con- 
sumer Action; CryptoRights Foundation; Dell, Inc.; Distributed Computing Industry 
Association; EarthLink; eBay; Electronic Frontier Foundation; Google; HP; Informa- 
tion Technology Industry Council; Internet Commerce Coalition; Lavasoft; Microsoft; 
Network Advertising Initiative; Privacilla.org; Sharman Networks; Peter Swire, 
Moritz College of Law of the Ohio State University;® TRUSTe; Webroot Software; 
WhenU; and Yahoo!. 

Mr. Stearns. I thank the gentleman. I’ll start out with my line 
of questioning and I think I’ll just make a general comment and 
then I want to ask each of you a specific question, a yes or no an- 
swer, if possible. 

I think as in the opening statement of the chairman of our com- 
mittee, the gentleman from Texas, indicated we found on employ- 
ees in the Commerce Committee have over 200 spyware and they 
did not know this. We’ve heard from other members how it’s af- 
fected their computers at home and slowed them down. So obvi- 
ously, there’s some deep concern, not only about privacy, but effi- 
ciency and overall security. 

So the question is and I think I know the answers listening to 
your opening statements. I’ll start with you. Commissioner. You at 


^ Individuals are listed with their affiliation for identification purposes only. 



56 


this point do not believe that we need legislation, just yes or no, 
is that true? 

Mr. Thompson. Yes, at this time, we do not 

Mr. Stearns. We do not need legislation. And Mr. Beales, do you 
think we need legislation? 

Mr. Beales. I do not. 

Mr. Stearns. And Mr. Schwartz? 

Mr. Schwartz. I think that we need privacy legislation today 
and we may need spyware legislation in the future once we’ve gone 
further in going after worst practices. 

Mr. Stearns. You mentioned three areas: enforcement, elimi- 
nating bad practices and legislation. 

Mr. Schwartz. And privacy legislation. 

Mr. Stearns. So what you’re talking about is an overall privacy 
legislation of which spyware would be a component, is that what 
you’re saying? 

Mr. Schwartz. That’s correct, yes. 

Mr. Stearns. And Mr. Baker? Do we need legislation? 

Mr. Baker. We think legislation would complement industry 
technology efforts and FTC enforcement. 

Mr. Stearns. Okay, and Mr. Friedberg? 

Mr. Friedberg. Yes. We believe in a holistic solution and to the 
degree enforcement can’t do what they need to do because there’s 
some laws missing, then we would 

Mr. Stearns. You mentioned you’re going to have a new software 
program, but today, would you advocate legislation to solve this 
problem, yes or no? 

Mr. Friedberg. Again, I think it goes back to whether or not 
there’s enough teeth in the existing laws to go after the deceptive 
practices. 

Mr. Stearns. Do you think there’s enough teeth in the existing 
laws? 

Mr. Friedberg. Unfortunately, I’m not a lawyer, but I would 

Mr. Stearns. I’m asking you a personal opinion. I mean you’re 
here, you’re one of the experts here on the panel and your high 
technology of interest and expertise, we’ve just told you that mem- 
ber employees on our Commerce Committee have over 200 of these 
spywares that they didn’t know it, it’s slowing it down, so you’re 
saying that your software would solve all the problems? 

Mr. Friedberg. No, absolutely not. 

Mr. Stearns. Do you think legislation 

Mr. Friedberg. We think there’s a holistic strategy and I think 
Commissioner Thompson and others have stated they feel very con- 
fident about the current laws. That’s fantastic, I think. We can go 
after them and create a deterrent, it’s wonderful. 

Mr. Stearns. Let me ask you then, you testified that any Fed- 
eral legislation should address deceptive behavior and not 
functionality and I guess that’s the key point, that we want to not 
bog down the internet. We want to have the functionality there, 
but we’ve got to address this deceptive behavior. 

Please explain what behaviors are not illegal already that we 
should address. 

Mr. Friedberg. Not illegal already? 
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Mr. Stearns. In other words, when a person is dealing with 
spyware, from what I hear it looks like most of it is coming in ille- 
gally. It’s in my computer and I don’t want it. So that’s a behavior 
that I don’t want. So what is the functionality of this that I should 
allow it to be in and why shouldn’t I legislate to say don’t come in 
without my permission. 

Mr. Friedberg. When you actually look at the features that un- 
derlie some of what’s happening, it turns out that a lot of those fea- 
tures have positive user benefit. For example 

Mr. Stearns. Give me some examples of positive user benefit. 

Mr. Friedberg. Let’s just take adware. Obviously, it’s a very con- 
tentious issue, but a piece of software that’s going to display some 
advertisements, that’s what it does. That’s its function. Now if I’m 
a user and I have to pay $120 a year for a service and I have the 
choice to maybe see some ads and not have to pay that money, I 
think that’s a fair horse trade providing I was told up front what 
that deal is and I can fully understand the terms under which it’s 
happening and so there’s an example of where the feature is not 
the issue, it’s when people do it deceptively where you have no con- 
trol over that adware, it’s just showing up in your box, can’t turn 
it off. Clearly a bad situation. 

Mr. Stearns. Commissioner, you are on the panel of peers to be 
the strongest advocate for no legislation. The State of Utah has 
passed a bill. California and Texas is doing this. New York is going 
to do this. Shouldn’t Congress, if nothing else, preempt these with 
a Federal law instead of having 50 separate State laws dealing 
with spyware? 

Mr. Thompson. I understand that point and I think that 

Mr. Stearns. I mean, the practicality. 

Mr. Thompson. But what I say is at this time what I’m looking 
for is industry to define good behavior to isolate bad behavior. 
That’s what you heard with the other people on this panel. There 
are certain behaviors that are bad that we can get at right now. 
Unfair and deceptive practices, for example, if they put something 
on your computer and it violates their privacy policy, then we can 
do something about it. If it’s sending information that you have no 
way of avoiding, that’s something we need to know about. But 

Mr. Stearns. But shouldn’t we stop that practice of putting it in 
your computer without you knowing about it? 

Mr. Thompson. I think we can get at some of that right now. 
The point is that I need 

Mr. Stearns. Well, why isn’t our staff doing it? The public obvi- 
ously has ignorance on this and doesn’t even know. You click a bar 
up here, some of the bars that were clicked up here you hit cancel 
or yes or even the top of the dialog bar, it doesn’t matter. You’re 
still going to get the spyware in the computer, so tell me why 
shouldn’t we stop that? 

Mr. Thompson. And that’s part of the challenge that we have. 
First of all, we need the responsible companies to come clean and 
tell consumers what it is they’re doing, how they’re doing it and 
then the second thing, then we need to isolate those people who are 
not. 

Let me tell you something. Most of the people who are involved 
in the most insidious behavior, secret spyware that will get after. 
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that will allow them to get identity theft, to mine your information, 
etcetera, that’s unlawful now and those people don’t care about the 
law. 

Mr. Stearns. I’ll conclude by just saying I’m a little concerned 
that you’re not outraged that people have access to somebody’s pri- 
vacy, Social Security Numbers and all this and you’re saying just 
let things go by the wayside when actually I would think you as 
Federal Trade Commission should be saying we need more money, 
we want to enforce it, we’re going to do something about this. Con- 
gress, this is what we need. 

Mr. Thompson. I am outraged and we always need more money, 
but what I am saying to you is there’s a danger. The danger in try- 
ing to define this in the scope of legislation right now, is to be 
overbroad which will deny us of beneficial uses. 

Mr. Stearns. My time is up. 

Mr. Thompson. Or too narrow. 

Mr. Stearns. The gentlelady, Ms. Schakowsky. 

Ms. Schakowsky. Mr. Thompson, if legislation is not warranted 
at this time, I know you had a workshop and that’s the beginning, 
but what are you doing exactly in terms of enforcement of current 
laws? It seems to me the ball is in your court as well as in that 
of industry. You’re looking for a voluntary industry response, you’re 
saying, but what exactly are your plans then in the short term? 

Mr. Thompson. I would like the Bureau Director to be in to talk 
about that because he can talk about specific enforcement activity. 

Mr. Beales. We are actively looking for spyware cases. We have 
open investigations. We will pursue those. We have brought cases 
that have challenged the deceptive downloads of dialers that dis- 
connect you and reconnect you. We’ve brought cases that are very 
much the same kind of practice of once you’re in the door, you can’t 
get out until you buy the program. We’ve brought the extortion 
kind of case of buy this product and I’ll stop sending you the ads 
that — this product will stop the ads that we’re sending you. 

We’ve brought all those kinds of cases. We will continue to pur- 
sue those cases. The problem is not one of legal authority. It is de- 
veloping and proving a case in Federal Court. 

Ms. Schakowsky. It sounds like this is a problem that’s esca- 
lating rather than shrinking as we go forward. So what is it that 
consumers ought to be expecting from both industry and from the 
regulatory agencies right now? And then, Mr. Schwartz, I’d like 
you to add why it is that this broad privacy legislation might add 
relief to consumers? 

Mr. Thompson. I think step one, I think responsible industry 
needs to tell consumers what software they’re putting on the sys- 
tem, how it works and giving consumers a choice of whether to 
have it or not to have it. 

Ms. Schakowsky. How big a problem is responsible industry? 
Usually when we’re dealing with the most insidious scams, we’re 
dealing with irresponsible players here who have the intention of 
robbing people of their information, et cetera. 

Mr. Thompson. And that’s exactly the point. One of the things 
I would like to see done is that the good guys can all work on the 
same baseline to say this is what the behavior, standard behavior 
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is in the industry, so we can begin to say anything that’s outside 
of that is really ripe for our picking. 

Ms. SCHAKOWSKY. Are you planning then to establish some kind 
of rule that would set those boundaries and the parameters rather 
than simply relying on industry itself to come up with that? 

Mr. Thompson. As you said in your comments, we are at the be- 
ginning stages of talking about that. The workshop was very help- 
ful. And as I said in my statement, I want effective and timely re- 
sponses. I think we will continue to work with industry to see that 
that happens, but this is one issue that I think is important to 
have the committee’s continued involvement and review. 

Ms. ScHAKOWSKY. Clearly, the Congress and the bipartisan way 
is interested in stepping into this. If you’re saying we should not, 
then it seems to me you have to have a very clear time line to come 
back with and say this is our plan, this is what we expect from in- 
dustry. We really haven’t seen that. 

I would like to particularly get Mr. Schwartz’ — tell me how this 
broad privacy legislation would help? 

Mr. Schwartz. Let’s take a step back and look at the broader 
picture of online privacy. If we pass a law that says when you 
download software and you focus on the privacy of downloaded soft- 
ware, rather than general software, so let’s say we do get the real 
fair information practices built into a software law that has notice, 
choice of intent for consumers, ability to access and see what they 
are turning over to the companies, etcetera. Then simply the bad 
acting companies simply start doing that from a server that’s — 
where information is not downloaded to the computer, from some- 
where remote. We’ve seen cases like that similar to that today. 

By trying to define software and come up with privacy rules just 
for software, you’re leaving out the exact same practices that we 
consider to be bad practices that are just done from a remote serv- 
er. 

Similarly, we saw this in web privacy as well. Early on we did 
not have any notices at all. As practices start to improve in one 
area, the bad acting companies shift and go to another area where 
they feel they can take advantage of consumers and that’s going to 
continue to happen because that’s the nature of technology. We’re 
going to come up with new technological challenges. But if we have 
a broad law that focuses on the practice, rather than the tech- 
nology, we can go after the actual root cause which is that compa- 
nies are misusing people’s personal information, not telling them 
what they’re doing with it and keeping it in incorrect ways where 
consumers don’t even know it could be used against them and they 
don’t even have the ability to change it if it’s wrong. 

Ms. SCHAKOWSKY. Thank you. 

Mr. Stearns. The full chairman of the committee, the gentleman 
from Texas, Mr. Barton. 

Chairman Barton. Thank you, Mr. Chairman. I am reading 
from the FTC testimony here, the Commissioner’s testimony, page 
5, it says “at the workshop, FTC and Department of Justice staff 
members noted that many of the more egregious spyware practices 
described at the workshop may be subject to attack under existing 
Federal and State laws.” 
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Later on in that same page it says, “However, investigating and 
prosecuting acts and practices related to spyware, particularly the 
more pernicious programs pose substantial law enforcement chal- 
lenges.” 

Now then, my understanding. Commissioner, is that you said 
that you didn’t think additional Federal legislation was necessary, 
yet in your testimony you’re talking about it says “it may be sub- 
ject to attack and pose substantial law enforcement challenges.” 

Why in the heck don’t you support us legislating so we make it 
perfectly clear? If somebody walks in my house without my knowl- 
edge, without my permission, they’re trespassing and there’s a law 
that says that’s illegal. And what you’re saying is if somebody 
comes into my personal computer in my house, it may violate a law 
and it may be a problem, but it might be difficult to prosecute. Why 
not work with this committee to come up with legislation that 
makes it perfectly clear that it’s illegal? And then if somebody 
wants that crap on their computer, they can opt to let it be. 

I mean I don’t understand. I really don’t understand why we’re 
having a semantical debate about something that everybody I’ve 
talked to is totally outraged about. I’m the moderate on this issue, 
by the way, on the panel. 

Mr. Thompson. Well, Mr. Chairman, you know what I think 
about privacy in general, and we’ve discussed that before. I think 
that targeted legislation here at this time would be very difficult, 
if not impossible to define. And what I’m concerned about is lead- 
ing people to believe that defining a certain kind of software, for 
example, will address the problem. 

Let me give you an example. There are so many things in this 
area that would be a problem notwithstanding whether they in- 
formed you of it or not. If someone came in and told you we’re 
going to disclose to you that we’re putting software on your ma- 
chine that’s going to monitor your activity, that we can send to 
identity thieves, that would be unlawful no matter what. And it 
doesn’t really matter 

Chairman Barton. My understanding is there’s not been one en- 
forcement action even attempted. Is that true or not true? 

Mr. Thompson. That’s not true. 

Chairman Barton. That’s not true. So you’ve done one? 

Mr. Thompson. There are some things that are pending that I 
can talk about 

Chairman Barton. Ah, some things that are pending. Maybe 
two, three? We’ve got 140 million people and I’ve yet to see a per- 
son when they find out this is on their computer says oh, that’s 
okay. I’m okay with it. 

Mr. Beales. We have brought a number of cases, at least three 
or four, that challenged deceptive downloading of dialer programs 
that disconnect you and reconnect you to different service provider. 

Chairman Barton. Have you got any convictions? 

Mr. Beales. Yes, we have. 

Chairman Barton. You’ve got how many? 

Mr. Beales. In all of those cases. In none of those cases that 
have been fully litigated or resolved and none of our cases have we 
lost. 
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Chairman Barton. If we were to pass a law that said you can’t 
put anything on a person’s personal computer without their explicit 
knowledge and if you do, it’s a Federal crime subject to whatever 
the penalties are, would that help or hurt prosecute these cases, if 
we made it explicit? 

Mr. Beales. I don’t think it would make any difference in the 
ability to prosecute these cases. It would make the process of in- 
stalling new software with hundreds of different subprograms that 
I have no clue what they do, extremely tedious and difficult. 

Chairman Barton. And that’s a good thing. 

Mr. Beales. No, it’s not. 

Chairman Barton. You want this stuff on your computer? You’re 
the only person in the country that wants spyware on your com- 
puter. 

Mr. Beales. No, I want my word processing program to work. 

Chairman Barton. We do too. 

Mr. Beales. And if you pass a law that says I have to go through 
each component of that word processing program as it installs and 
agree to that component, either I’m going to agree to everything 
and the spyware is still going to be there because I’ve been trained 
to agree to everything or my word processor 

Chairman Barton. So now you’re saying that spyware is nec- 
essary to install a program on your computer? 

Mr. Beales. No, I’m saying that software includes a lot of dif- 
ferent programs where I don’t know and I don’t want to know ex- 
actly how they function to put a footnote in my document. 

Chairman Barton. And that’s what spyware does? 

Mr. Beales. No, it’s what software does. 

Chairman Barton. We’re not opposed to software. 

Mr. Beales. But if you require consent to the installation of each 
program, then I’m going to have to go through each one of those 
programs 

Chairman Barton. Let me just clue you. Unless I’m totally mis- 
taken, when we get ready to move this bill all but a handful of the 
members of this committee on a bipartisan are going to be sup- 
portive of it. Now I’m not a software expert. I’m not a computer ex- 
pert, but I can count votes on my committee. And I would encour- 
age the Federal officials at the table to work with us on how to 
clarify the language that helps you enforce the law. Instead of try- 
ing to defend something that is not defendable. 

I bet you that we could go to every person in this room that has 
a personal computer and I would be stunned unless they just 
cleaned their programs, cleaned their computers, they don’t have 
spyware on their personal programs right now, including the peo- 
ple at the witness table. Every one of you. 

And then I would double down and bet that if we asked if they 
wanted to take it off, almost everybody would say they want to 
take it off, except for you, sir, who apparently thinks it’s a great 
thing which is what makes America great that we can agree to dis- 
agree, I guess. 

Mr. Beales. I think it is very difficult to draw a line around the 
what is the spyware, where I don’t want it either and where we 
think there clearly are bad practices. 

Chairman Barton. Well, then work with us 
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Mr. Beales. We are happy to do that. 

Chairman Barton. Work with us to define the line. 

Mr. Beales. We are happy to do that to try to draw the line as 
well as possible. What is not clear to us is whether there is a 
meaningful line that can be drawn. 

Chairman Barton. I am very confident that with the lawyers we 
have on the committee and the lawyers that we have at your agen- 
cy, we can draw the line. 

With that, Mr. Chairman, I yield back the negative balance of 
my time. 

Mr. Stearns. That’s all right, Mr. Chairman, I just want to but- 
tress your argument by pointing out, as I point out in 2003 there 
were 2 million spyware software programs. Today, in the year — 
they project 14 million currently. So I would say to the Commis- 
sioner, with those statistics it sort of shows that the chairman is 
talking about a serious problem. 

Mr. Strickland. 

Mr. Strickland. Thank you, Mr. Chairman. We’ve been talking 
about for lack of a better way to put it, bad actors, using spyware. 
Are there good actors who use spyware? 

Mr. Beales. Well, it depends on how you define it, but on many 
definitions, yes, there are. Keystroke loggers, for example, which 
can be used to steal personal information and for identity theft are 
frequently downloaded by help desks to try to figure out what it 
is you’re doing, how it is they can help you use your computer bet- 
ter. That’s a perfectly legitimate use of exactly the same software. 

Mr. Strickland. Is that done with the permission of the person 
whose information is being collected? 

Mr. Beales. Certainly with the implicit permission, whether it’s 
explicit or not, I don’t know, but certainly with the implicit permis- 
sion because they’ve called and asked for help. 

Mr. Strickland. Let me ask this question. How many of you 
would agree with this statement, instead of regulating and out- 
lawing certain types of software, we need to rather regulate certain 
types of behavior? 

Do any of you agree or disagree with that? 

Mr. Beales. I would agree with that completely. 

Mr. Thompson. I would agree with that as well. 

Mr. Strickland. And is it your impression that the legislation 
under consideration from my colleague from California an attempt 
to regulate software rather than an attempt to regulate behavior 
as you understand the proposal? 

Mr. Baker. No sir, if I may, I don’t think that it’s an attempt 
to regulate software. I think it does regulate behavior because it’s 
not saying that any specific type of software is banned, but rather 
that software can’t be downloaded to a user without their consent, 
without clear notice, without a means to uninstall it. So I think 
that is addressing the behavior. 

And to your earlier question, I mean no, and I think this is what 
Mr. Beales was trying to describe earlier. We don’t want a world 
where every time a consumer tries to use any program every web 
page they go to, every click of the mouse they’re going to get a 
nothing dialog box saying do you agree, do you agree, do you agree? 
Nobody wants that. 
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But I think what we’re doing here is establishing when things 
are loaded onto users’ computers without their permission, from 
somebody that they have not agreed to. Certainly, if it’s an update 
to their Microsoft operating system, to their EarthLink internet ac- 
cess, I mean that’s something that the user has already agreed to 
and I think there’s a fundamental difference there. 

And I think that the statute does a pretty good job of distin- 
guishing between legitimate and illegitimate users of software 
that’s downloaded to a computer without the user’s knowledge. 

Mr. Strickland. I have some problem understanding the dif- 
ference between my Chairman’s position and what I’m hearing 
from some of you in terms of if there’s a problem and people are 
being abused in ways that they don’t choose to have their computer 
used and is it possible to achieve what Mr. Barton wants to achieve 
and at the same time avoid the problem that Mr. Beales, I think, 
is trying to describe for us? Is there a way to accomplish both? 

Mr. Friedberg. I think as Congresswoman Bono mentioned, the 
devil is in the details and I think we all really want these bad ac- 
tors to go away and for us to take back control of our computers. 
Everybody wants that. And we know that one element of the solu- 
tion is kind of focusing on behavior, but when we write the clauses 
and the rules, we need to still tie it down to something. That’s 
where the challenge is is tying it to the stuff, the software. 

Mr. Strickland. But do you feel that that can be accomplished 
without interfering 

Mr. Friedberg. It is very, very hard. I have been thinking about 
this a lot and I am a computer scientist by trade and so I can tell 
you how hard it is. There are a couple of areas in particular that 
are very challenging. Uninstall requirements is one. The way you 
do consent is another. I know as a best practice I suggest to people 
in our company to do just in time consent and that’s this concept 
of waiting until the most relevant moment when the user actually 
has some context to make a decision. If we put in certain rules and 
I’m not saying any particular legislation does this, but that require 
everything that happened in install time or transmission time, 
we’ve really missed the boat in terms of what, how users make 
trust decision. And we need to think about what’s going to make 
my mom make good decisions when she’s presented with the soft- 
ware and at what point does it make sense to have that? 

I know in Windows, when something crashes, we pop up this 
window’s error report. And we do that at the time of the crash and 
we tell the user hey, we might be able to find a fix for you if you 
let us send some data back to Microsoft to figure it out. So the user 
has great context. They know exactly hey, I want to keep going, I 
want my word thing to word and it’s okay. I’m going to send this 
data and you can actually look to see what data is going to be sent, 
so you can understand your privacy impact at the time of the situa- 
tion. 

If we ask this question at the beginning, at installation time, 
there’s no context. So there’s all these different paradigms to con- 
sider, different ways to do consent, different ways to get this notice 
to show up. 

Another is the user interface issues and design. As people point- 
ed out, nobody wants to have 100 of these popups just show up and 
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completely color your experience. It doesn’t make any sense. Also, 
we have new devices that are coming out almost every day and so 
it’s very hard to figure out what their requirements are going to 
he. For example, there’s this media center edition that we offer 
that’s a 10 foot experience. Letters are really hig. We only get two 
lines of text to communicate to the user these big issues, so we 
can’t have very elaborate notices in that experience and likewise, 
if I have a watch that’s really smart and it wants to download some 
new software. I’ve got very little room to provide that same notice. 
So we have to really think hard about all of these different sce- 
narios. And that’s why people are saying it’s a little early. We real- 
ly haven’t had time to look at all of these, what I’ll call test cases 
and watch out and figure out where the gotchas are. Because if we 
codify some of this stuff into law, suddenly we’ve tied our hands 
in an evasion which I think is a mistake. 

Mr. Schwartz. Can I address another issue along with some of 
the things that makes this more difficult 

Mr. Strickland. My time is up, but 

Mr. Stearns. Sure, why don’t we just let them answer the ques- 
tion and call it quits. 

Mr. Schwartz. I was just going to say that the complexity of — 
this is not just like one company coming and monitoring the behav- 
ior of a computer user. These are — it’s a complex network of affili- 
ates, of individuals that are all involved in passing information to 
each other and cram the software down on computer users. 

In the case that we brought to the FTC that we hope that there 
will be action on we found at least four or five different parties, two 
of whom didn’t know what was going on at all. They were simply 
kind of pawns in the whole scheme, whereas two others, to our 
mind, seemed to be active actors trying to put spyware on people’s 
computers and trying to get them to guy software that they didn’t 
really need. 

And in developing this case, it took us 2 months to put together 
and to turn it over to the FTC. It takes a lot of resources to put 
together these cases and track back the entire network. I think 
that’s true for spam cases as well. Personally, I think we need to 
see the FTC get more resources to be able to go after these kinds 
of cases. Even if we had a new law that got at, closed up some of 
the existing holes, we would still have to have this same problem 
of being able to track down the bad guys. 

Mr. Stearns. Thank you and the author of the bill, the 
gentlelady from California, Ms. Bono. 

Ms. Bono. Thank you, Mr. Chairman. It sure is nice to have 
again your full weight and that of Chairman Barton’s behind this 
legislation and since we’ve started this hearing I think I’ve gained 
three co-sponsors, so I appreciate my colleagues paying attention. 

But I am stymied by a lot of what I’m hearing and I’m also en- 
couraged by a lot. First of all, we keep talking about prosection, 
prosecution. What the FTC has certainly failed to do is stop the 
proliferation of spyware and adware. You have failed in that. And 
it has grown exponentially and that is my intent. First of all, is to 
stop this growth, boom in this business, but also this bill is really 
about consumer empowerment. And as I mentioned to Mr. 
Friedberg, the devil is in the details in all of the legislation we 
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write here and I look forward to working with all of you in industry 
and my colleagues on crafting the perfect legislation. I have been 
revising it day by day, just to address these issues. 

But you know, if we take this away from the realm of ones and 
zeros and change it to durable goods — for example, a car. I think 
Chairman Barton talked about this a little bit in trespassing. If I 
just bought a new car and I drove it home, parked it in my garage, 
would that give the automobile manufacturer the opportunity to 
come to my house and come into my garage and fix something be- 
cause there was a recall notice on it without my knowledge? I don’t 
think so. I do agree that there are beneficial uses of spyware, but 
I think if you warn the consumer first that this is all we’re install- 
ing, it should be so simple. I love how Congress sometimes loses — 
I don’t know that Congress has, but I think some people have, lost 
common sense. What is wrong with consumers simply knowing this 
is being installed. For example, Kazaa. I have two teenagers at 
home. They installed Kazaa. They thought this was great software. 
They were getting all of this free music, until I had to remind them 
about copyright and all of these things. I said — I had to point out 
to them somebody is still making money off of this and let me tell 
you how it works. And that’s the way this all began. Somebody is 
making money. But it’s not a songwriter. It’s not a copyright hold- 
er. It’s a third party you don’t even know about. 

My question to you. Commissioner, is would you allow that? 
Would you allow — let’s say I’ve taken that new car, that new Ford 
I bought and it’s no longer in my garage. I’ve parked it on the 
street, because it’s a puWic highway, similar to the internet. So 
now I’m going to allow Ford to come by and fix that recall notice 
without my — and this is a legitimate use of spyware. I’m actually 
talking about a legitimate use because I believe that Microsoft and 
Symantec and legitimate software companies do warn you and they 
do say we’re going to update your software and occasionally they 
allow you to hit a button that says yes, I know you’re doing it. 
Sometimes it happens automatically. That’s a convenience. I know 
it’s happening. But would you allow that to happen to a Ford? Be- 
cause that’s what I’m hearing you say right now, it’s okay. It’s okay 
or maybe you’ll enforce it or maybe you’ll stop it, but right now it’s 
okay. 

Mr. Thompson. Let make something perhaps a little clearer. The 
challenge is the definition, because the same kinds of behavior — 
the same kinds of software can be used for beneficial and non-bene- 
ficial uses 

Ms. Bono. Excuse me, Mr. Commissioner, I disagree. I disagree. 
And you know, first of all, again as I’ve said, the beneficial use, 
most companies do inform you that they’re going to be collecting 
data from your computer and they let you know that when you in- 
stall the software. So that could be covered. We could allow that. 
The end user license agreement which is pages long, if we sim- 
plified to a simple box that would be covered, legitimate software 
sites could be covered. So I don’t even know that you need to dif- 
ferentiate between because they are covered because they are doing 
that currently. 

Mr. Thompson. What I’m concerned about is if you define some- 
thing that is really based on consent and not in more detail about 
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behavior, then the very same thing that people are asked to con- 
sent to without any context can be used by that same company in 
ways that consumers don’t want. 

Ms. Bono. Which leads me, if I can jump because time flies. 

Mr. Friedberg, can you tell me really fast, according to 
PestPatrol, there’s something called Alexa and Alexa is a new tool 
bar and apparently it’s bundled with Microsoft’s Internet Explorer 
and I understand it collects information from websites that are vis- 
ited. Can you briefly describe Microsoft’s relationship with Alexa? 

Mr. Friedberg. There are two different versions of Alexa that I 
know of. One is a tool bar that Alexa offers that’s not directly cou- 
pled to IE. There’s another lighter weight version that’s actually in 
IE that provides something called show related links. The light- 
weight version that’s actually in IE sends an URL to the service 
and it returns back links that are similar to that link that you 
might be interested. 

It’s my understanding that that service does not retain or store 
any data and that the only information that’s passed is this URL 
and it’s sent back to the user. I can’t speak for what the Alexa tool 
bar does. You’d have to talk to them and look at their privacy 
statement and read it very carefully, but again, when you look at 
the spyware results, when people say something is something on 
those lists, you have to look very carefully what the criteria is to 
understand which version of the software they’re actually ranking. 
Just to be clear. 

Ms. Bono. I look forward to working with you more on it and I 
know, Mr. Chairman, my time has expired. Thank you very much. 

Mr. Stearns. I thank the gentlelady. The gentleman from Ari- 
zona. 

Mr. Shadegg. Thank you, Mr. Chairman, I didn’t know my time 
was up. I thought we had to go to the other side. 

Gentlemen, let me begin with the gentlemen from the FTC. Com- 
missioner Thompson, you said no legislation is needed and you said 
the FTC Act allows the Commission to take action against decep- 
tion now. 

Mr. Beales, you said we have the necessary tools to stop or at 
least address the practice. So both of you contend we don’t need 
legislation. 

I want to know how many people you have brought enforcement 
actions against and achieved a penalty against to date? 

Mr. Beales. Well 

Mr. Shadegg. My time is very limited, just 

Mr. Beales. It depends exactly what you mean by spyware. 
There are probably — this is a guess and I’ll get you for the record 
precisely. There are probably 15 or 20 defendants that have been 
involved in the dialer programs, all of whom have been, all of 
whom have been penalized in one way or the other. 

Mr. Shadegg. I would like you to supply to the committee pre- 
cisely how many you have gone after that you contend could be 
considered spyware and taken action against. Then I want to know 
first, right now, what are the potential penalties you can impose? 

Mr. Beales. We can get full redress for whatever money they 
have made from consumers and 

Mr. Shadegg. Full redress. Can you impose criminal penalties? 
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Mr. Beales. No, we have no criminal authority. 

Mr. Shadegg. So full redress means they make $200,000 out of 
the deal, they steal that from me, you can get back the $200,000. 
What’s the disincentive if all you can get back is what they took 
from me, what’s the disincentive for them to do that again? 

Mr. Beales. Well, in a typical case, there’s not anything like 
$200,000 left. And 

Mr. Shadegg. I’ve worked very extensively on identity theft leg- 
islation and I guarantee you when your identity gets stolen, it’s 
nearly impossible to quantify the damages people suffer and calcu- 
lating how much they’ve suffered is near impossible. The point is 
in all of criminal law, and I used to work for the Arizona Attorney 
General’s Office, if all you can get back from the bank robber is 
what he took, there’s no disincentive to rob the bank. So I guess 
my question is do you have the ability to impose penalties beyond 
what you think they’ve profited? 

Mr. Beales. We do not in the typical case of unfair and deceptive 
practices. Many of the kinds of conduct at issue here may violate 
other criminal laws. It’s common 

Mr. Shadegg. Then I want to know if those criminal cases have 
been brought. I want to know all of the cases you’ve brought, all 
of the penalties you’ve exacted and then I want to know all of the 
criminal cases that have been brought that you’re aware of against 
people that engage in this conduct. And I’d like you to supply that 
to the committee. 

Is that all right? 

Mr. Beales. We will be happy to do our best. 

Mr. Shadegg. Let me move to a separate topic. One of the con- 
cerns I have is that in many of these agreements that we talk 
about you say well, they’re legitimate things that are being done. 
There are also illegitimate things that are being done. 

What are you doing with regard to what I call fine print permis- 
sion, that is, I sign an agreement with one of the legitimate compa- 
nies and buried deep, deep, deep in the fine print is a very, very 
small disclosure that says I give you permission to get into my 
computer and do all kinds of things that no rational person would 
want to do. 

Are you pursuing that now? 

Mr. Beales. We think disclosures need to be clear and con- 
spicuous. What that means depends on the consequences of the 
particular disclosure. 

Mr. Shadegg. Have you ever looked at the disclosures that are 
required? Have you brought an enforcement action against some- 
body? 

Mr. Beales. We’ve brought many actions involving disclosures 
that were not sufficiently clear and conspicuous. 

Mr. Shadegg. Okay, I’d like you to supply me with a list of those 
that relate to abuses of, for example, getting into my computer and 
taking privacy information that I don’t approve of. 

Mr. Beales. I don’t think we’ve brought cases that involved end 
user license agreements. We’ve brought numerous cases that in- 
volve insufficiently clear disclosures in a wide variety of contexts 
and the legal principles 

Mr. Shadegg. But not for as an individual consumer? 
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Mr. Beales. I’m sorry? 

Mr. Shadegg. You said not end user license agreements. I think 
we’re talking about end user license agreements right now, aren’t 
we? 

It’s my computer they’re getting into and some would contend 
with permission because I signed agreement that had a fine print 
disclosure. 

Mr. Beales. We have brought numerous cases like that, not in 
the software context. The disclosure issue though of is it clear and 
conspicuous is not fundamentally different. 

Mr. Shadegg. Except we’re talking about the software context 
and if you haven’t brought any of the software context, that doesn’t 
sound like that’s an enforcement tool that will help solve those 
problems. 

I’m going to run out of time. I want to move on, so I’d like to 
know what you contend fits there. 

You have said that it would be impossible. Commissioner, to de- 
fine this issue. I want you to tell me under what circumstances it 
would ever be appropriate for someone to get into my computer 
without my permission and monitor every single keystroke of my 
computer forever and give that information away to somebody else? 

I mean that’s one of the most offensive practices that I think is 
going on here is they get into my computer. You talked about it. 
They put a stroke monitor on my computer and they know every- 
thing I do on that computer and then they sell that information or 
use that information. 

My question to you is, you say it’s impossible to define this legis- 
lation. Under what circumstances would anyone ever want to have 
it occur that someone can get into my computer or your computer, 
monitor every stroke I make without my permission and give that 
information away or use it for their benefit, every stroke? 

Mr. Thompson. I can’t answer that question because I know that 
it would bother me and I know that one of the problems with the 
legislation that’s proposed, to the extent to ask you to give permis- 
sion for context, out of context, you may — what I’m worried about 
is consumers are going to be asked to say yes to behaviors they 
don’t even know are going to happen. 

Mr. Shadegg. You just admitted to me that there is never, you 
can’t imagine — and this is your business — ^you can’t imagine a cir- 
cumstance under which it would ever be appropriate for somebody 
to get into someone’s computer without their permission and mon- 
itor every single stroke 

Mr. Thompson. For all circumstances 

Mr. Shadegg. For ever. I understand that when I go into my 
Bank One account, I have the choice on my computer to say I want 
to permanently register both my user ID and my password. That’s 
a single transaction. What’s going on here is they’re in my com- 
puter and they do that forever. I quite frankly, and I’m running out 
of time, I do not see a thing different between that and wire- 
tapping. And we don’t say to people who have telephones, you know 
there’s a danger that someone might tap your telephone and listen 
to all of your phone conversations, so you should buy a device, we 
should teach you that, we should address this as consumer edu- 
cation, we should teach you that that might happen and then you 
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should buy a device to put on your telephone that stops them from 
tapping your telephone. And yet what I hear both of you from the 
FTC saying is that even though someone under spyware can get 
into your computer, Congressman, and can without your permis- 
sion put a stroke recorder I think was the term you put on it and 
record every stroke you make and every stroke your kids make and 
every stroke your wife makes and know every where you go and 
everything you do, we think the way to stop that is to tell you. Con- 
gressman, is to be aware that it might happen and to make you 
go buy something to put on your computer to stop it. 

Mr. Beales. Congressman, I think what we’re more worried 
about is the perfectly legitimate download that you agree to of that 
keystroke monitor from the help desk 

Mr. Shadegg. No, no, no, no. I never 

Mr. Beales. That’s buried in the fine print that gives them per- 
mission to do that indefinitely. 

Mr. Shadegg. I got a flash, I would never ever, ever agree to 
give permission to someone to monitor every single keystroke of my 
computer for ever and ever, for a week, for a month. I might give 
permission for one transaction. I might give it to my bank for two 
transactions. But that’s not the abuse we’re talking about and you 
said it’s impossible to write legislation defining this problem and 
yet the Commissioner just admitted to me that he can’t imagine 
ever a circumstance in which it would be appropriate. 

Quite frankly, it’s simply identical to my having my telephone 
tapped — I would never give somebody permission to tap my tele- 
phone. 

Mr. Beales. Congressman, I think it’s more akin to having an 
extension on your phone where sometimes somebody picks it up 
and 

Mr. Shadegg. In my own house? These people aren’t in my 
household. These people are somewhere else, they’re miles away 
and they’re doing this without my permission. 

Mr. Beales. And you invited them in to help you with your 
transaction. 

Mr. Shadegg. Exactly, as if I called the car dealer. If I call the 
car dealer and said I’m interested in a car, I wouldn’t have said to 
that car dealer, oh, by the way, because I called you you have the 
right to tap my phone for the rest of history. 

Mr. Beales. I agree. If that was in the consent, I wouldn’t think 
it was adequate, but that’s because it’s not a consent problem, it’s 
a behavior problem. 

Chairman Barton. Will the gentleman yield? 

Mr. Shadegg. I think it is a consent problem and I think the last 
point here that I want to make is 

Chairman Barton. I would ask unanimous consent that Mr. 
Shadegg have an additional 2 minutes. 

Mr. Stearns. Unanimous consent, so ordered. I would point out 
to the chairman we’re going to have a second round here, so I 
would encourage the gentleman from Arizona to stay around. 

Mr. Shadegg. Unfortunately, I can’t stay around, but I’d be 
happy to yield. 

Chairman Barton. If I have a problem with my telephone, I call 
Southwestern Bell and I say there’s something wrong with my 
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phone line. And Southwestern Bell sends a repairman to my house 
to check the phone lines and hopefully repair it, hut the South- 
western Bell repairman doesn’t just move in with me. 

He doesn’t say what’s for supper and what are you going to be 
watching on TV and you know. Put a beeper on me so that wher- 
ever I go make sure that I’m home in time to cook and clean for 
him. 

So I just simply don’t understand why we can’t agree that these 
unwanted intrusions should be totally explicitly illegal. We’re not 
talking about asking Microsoft when I buy the computer, we have 
to sign an agreement to use the Microsoft operating system on the 
computer. We’re not talking about that. We’re talking about pro- 
grams that get put on our computer without our knowledge and are 
doing things that we don’t want to be done and taking information 
that we don’t want to be taken. 

Do you all agree with that? 

Mr. Beales. I do. I think it’s a question of whether you try to 
prohibit that and make it illegal under the general approach of the 
deceptive practices that were used to install it, or whether you try 
to write legislation that draws bright lines and says you have to 
do it exactly this way. 

We agree there’s a problem. We agree that the kinds of conduct 
you’re talking about here are illegal. The question is what’s the 
best kind of a statute to address that. Is it the general deceptive 
practices authority we’ve already got or is it something more spe- 
cific that says go through these hoops and that constitutes consent 
to this keystroke logger that lives there forever. 

Mr. Shadegg. Let me just tell you where I see you’re coming 
from from my perspective. You’re telling us — and I’m a former 
prosecutor with the Attorney General’s Office in Arizona. You’re 
saying current law is adequate to handle this problem. Oh but, 
we’re really not enforcing the law right now. We think you can’t de- 
fine the issue, although I just gave you a definition that neither 
one of you could say you’re right. Congressman, that ought to hap- 
pen some time. And then your last answer is self-regulation. I am 
typically a guy who believes very much in industry self-regulation. 
But Commissioner Thompson, you pointed out that we’ve got crimi- 
nals out here engaged in this activity that don’t care that it’s al- 
ready illegal. You tell me how the legitimate industries are going 
to stop those criminals with self-regulation. It’s not going to hap- 
pen. 

We’ve got a wide open door for criminals here. Your answer is 
well, give us time, we may bring an action later. I’m sorry, I just 
don’t think — of course, it’s difficult to write a law in any area. We 
understand that writing definitions in this kind of complex area of 
any law is very difficult and we don’t want overly broad legislation, 
but I’ve got to tell you, doing nothing about the fact that somebody 
can get into my computer and record every single stroke on it and 
that I ought to try to self-protect against that which to me is wire- 
tapping of the current generation, just makes no sense. 

I applaud Ms. Bono and yield back my time. 

Mr. Stearns. The gentleman’s time has expired. My unanimous 
consent, we have a guest who is not a member of the full com- 
mittee or the subcommittee, obviously. We’re going to allow an op- 
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portunity for him to ask questions for 3 minutes and then we’ll 
have a second round for anybody who would like to — just for the 
members, we’ll have an opportunity for a second round and Mr. 
Inslee will be offered one opportunity for 3 minutes. So I recognize 
the gentleman from Washington. 

Mr. Inslee. Thank you, Mr. Chairman. First I want to thank 
Mary Bono for her vision on this to understand that action was 
needed by Congress and she’s been ahead of the curve and I look 
forward to working with her and others on this. I want to thank 
the committee chair for allowing me to participate and the reason 
is that I’ll be introducing an alternative, a bill to try to address this 
very difficult issue. And I believe it is clear that we need to act and 
I’m disappointed that the Commission has allowed the difficulty of 
this task to overwhelm the obvious necessity for action here be- 
cause we do need action. 

The bill I will be introducing will have two approaches and I 
think it’s a pleasure to hear the testimony of the witnesses because 
it sounds like we might be on the right track. No. 1, the bill I will 
be introducing will address behavior, rather than just a designation 
of type of software and I’ve heard sort of unanimity of the panel 
to date, suggesting that that’s a model that will allow us to cut 
with a sharp scalpel, rather than a blunt instrument and that’s 
what we need to do in this highly tech area. 

Second, it will try to have just in time notice and consent be- 
cause in thinking through this, to me, having the consumer have 
the ability to do notice and consent at the time of the execution 
rather than just even a transmission will be a preferable way to 
do this. So that’s the two thrusts and I look forward to working 
with the committee members on that. 

I want to just give the Commission a moment, my take on what 
is going on is the reason there has been such a spectacular failure 
by the American government to protect consumers from this out- 
right abuse of their privacy that is going on in hundreds of thou- 
sands of cases today is that we have a 20th century law trying to 
regulate a 21st century type of new technology. And what I hear 
from the Commission today is kind of like if in the wild West if the 
bunch rode in and robbed the bank, the regulators are trying to say 
that the townspeople would say well, let’s call for self-regulation. 
I don’t think that’s what the townspeople are calling for here. 
They’re calling for a strong sheriff and a clear definition of what 
is allowable and now allowable. 

Now isn’t it true that the reason that you haven’t taken much 
enforcement action despite these hundreds of thousands of privacy 
violations is that there is relatively great ambiguity and vagueness 
that makes prosecution very difficult for you right now because we 
have so much vagueness in existing law? 

Mr. Beales. No. 

Mr. Inslee. Then what is the reason? 

Mr. Beales. The reason — what limits our ability to bring these 
cases is that, and your bank robbery analogy is somewhat apt, is 
the bad guys ride off into the hills. But these are cyberhills and 
there are no footprints. 

Mr. Inslee. Well, that just won’t wash. In today’s technological 
society so that that we have hundreds of thousands of violations 
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and you can’t find a half dozen violators, that doesn’t wash. You 
need to hire some people that come out of private enterprise, if you 
can’t find these guys. 

My time is limited, I need to ask another question. There was 
discussion about notice and consent and we’ll get to that next 
round, if you will allow, Mr. Chair. 

Mr. Stearns. Well, I was just hoping you will participate and I 
give you that opportunity, but I’ll start with myself with the second 
round of questions and I thank the gentleman. 

We have the chairman of the Oversight and Investigations Sub- 
committee and I am very pleased to see him arrive. Before I start, 
Mr. Greenwood, congratulations and we welcome you here. If you 
want to have some questions, you’re welcome. 

Mr. Greenwood. I do. Good morning, gentlemen. I apologize for 
missing the hearing heretofore, but it couldn’t be helped. 

On my home computer, I have experienced what my staff tells 
me is called browser hijacking. And that is we have a home page 
that we had set up that’s useful to our family and all of a sudden 
this bizarre home page is there and it won’t go away. I keep going 
back and re-establishing, resetting MSN, I think it is, is our home 
page and this thing pops up and it’s annoying in a lot of ways, but 
one of the ways it’s annoying is if you try to use it as a search en- 
gine, it only goes — it doesn’t take you where you want to go. It only 
goes to commercial sites that are trying to sell you something. 

And my staff fellow who is with me this morning said that he 
just checked his computer and he has 81 spyware programs that 
have been stuck into his computer. So the question is first off, can 
anyone define for me, browser hijacking just so I know we’re on the 
same page. And then has the question — has the FTC taken any ac- 
tions? I believe there’s been a complaint filed by CDT against 
MailWiper and also against Seismic Entertainment Productions. 
Has the FTC taken any action with regard to browser hijacking? 
If so, what is that? And under current laws, would browser hijack- 
ing be actionable and does the FTC have additional authority to 
pursue those actions? 

There are all the questions and I’d be happy to hear from any 
of you that would like to comment on any of those questions. 

Mr. Friedberg. I’ll just start by defining browser hijacking for 
you. It’s the changing of the key settings in the browser, specifi- 
cally the home page or the search page without appropriate notice 
and choice to the user. 

Mr. Greenwood. I’m sorry, I was interrupted. Say that again? 

Mr. Friedberg. It’s the changing of the key settings in the 
browser, specifically the home page and the search page are most 
common without appropriate notice and choice where you aren’t 
told and you can’t undue it. 

Mr. Greenwood. Is it illegal? 

Mr. Beales. Yes, it is. We have brought cases that challenged 
the practice of page-jacking which is essentially the same thing. 
You try to go to one page and you end up on another. We’ve chal- 
lenged that as an unfair practice and have been successful in doing 
that. 
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Mr. Greenwood. You have been successful. And what con- 
sequences have people who have successfully been prosecuted 
faced? 

Mr. Beales. That particular case was one that was brought in 
about 2000, I believe, and I don’t know exactly what the sanctions 
were in that particular case. 

In general, we can get full redress for consumers who have been 
injured. We get a permanent injunction 

Mr. Greenwood. What would be — how do you redress me? How 
do you — my wife has been trying for years, but how do you com- 
pensate me fairly for this experience? 

Mr. Beales. Well, in cases where injury is difficult to assess and 
this is certainly one, we would frequently go on a disgorgement 
theory of getting back all the money that whoever was behind this 
had received. 

Mr. Greenwood. It’s obviously continuing to be done with impu- 
nity, the people who do this must not have — they obviously don’t 
think they’ll ever be caught or if they think that if they do, they’ll 
make enough money that it will be well worth their effort. 

What do we do about that? 

Mr. Beales. We are trying very hard to make sure they’re wrong 
on both counts. 

Mr. Greenwood. So what should a consumer do? What should 
I do in this case? What are my options as a consumer to respond 
to identify the printout, the home page, the uninvited home page 
and send it to the FTC or what? 

Mr. Beales. As a way to complain, yes. We would love to hear 
from consumers about specific complaints. That’s very useful to us 
as the starting point of an investigation. 

Mr. Greenwood. What’s the most difficult — obviously, anyone 
watching this hearing anywhere in the country right now, I imag- 
ine a very significant portion of them, that’s exactly what happens 
to me and they could all make complaints to the FTC. What’s your 
resources limitations have to do with how much action would actu- 
ally occur? 

Mr. Beales. What we use our complaints for and if anybody is 
watching, complaints can go to www.ftc.gov. What we use our com- 
plaints for is to identify targets for law enforcement based on the 
volume of complaints. We do not have the capability to resolve indi- 
vidual complaints, but it does help to figure out what kinds of prac- 
tices are out there, who is doing them and then target our enforce- 
ment actions against those cases. 

Mr. Greenwood. My time is up, but do plaintiffs attorneys file 
Class Action suits in these cases with any success? 

Mr. Beales. I don’t know of any in these cases. The problem that 
we have in terms of financial relief for consumers is that there’s 
not money and that tends to make them unattractive cases for 
plaintiffs attorneys as well. 

Mr. Schwartz. In the MailWiper case that you mentioned that 
we brought to the FTC’s attention, there is a class that’s bringing 
a case in North Dakota right now against the same companies that 
we filed the complaint against. 

Mr. Greenwood. Thank you, Mr. Chairman. 
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Mr. Stearns. I thank my colleague and I thank him for taking 
the time to come out. 

I’ll start the second round of questioning. Do any of you know 
about the law that passed in the State of Utah? 

Mr. Baker, as I understand, this law allows a private right of ac- 
tion, so what Mr. Greenwood is talking about or Mr. Shadegg is 
talking about, I think they have a private right of action. 

Mr. Schwartz, is that correct? 

Mr. Schwartz. No, you would need to be a website owner or a 
trademark holder. So unless Mr. Greenwood runs his own website 
out of his house, he would not be able to sue in the private right 
of action under the Utah bill, Utah law. 

Mr. Stearns. Well, I mean I’m trying to get to the point that Mr. 
Greenwood and Mr. Shadegg touched on. What rights should con- 
sumers have in the courts when this occurs? 

Mr. Baker? 

Mr. Baker. Speaking to the Utah law specifically, Mr. Chair- 
man? 

Mr. Stearns. Yes. 

Mr. Baker. There’s great concern among the industry, many, 
many companies that the Utah law is overbroad. 

Mr. Stearns. Overbroad. Because it allows too much possibility 
of litigation? 

Mr. Baker. Not so much that is that it outlaws too many things 
and there’s great concern that, for instance, a library’s attempt to 
install filtering software to keep children and other patrons free 
from pornographic websites or parental controls even, that those — 
that this wall would, in fact, bar applications such as that. I don’t 
think that that’s what any of us would be after. 

So getting back to the House bill, one of the things we like about 
the pending legislation here is in fact the pre-emption provisions 
because we are concerned. It would be a cruel irony if, in fact, you 
have an anti-spyware statute that is so broad that it might even 
bar the downloading of anti-spyware software. 

Mr. Stearns. Right, so I think it’s important to say we see one 
State passed a law and we should understand what’s good and 
what’s bad about it, so that if we move forward on the Federal, 
that we not incorporate the bad and try to do what’s good. And at 
the same time, do you think a Federal law should prevent private 
right of action? 

Mr. Baker. This is just a personal observation. 

Mr. Stearns. Yes. 

Mr. Baker. I’m always a little wary of private rights of actions 
in Federal legislation and this was one of the things that was de- 
bated in the recent Canned Spam Act, for instance. Ultimately did 
not — was not included, because you do run the risk there of other- 
wise legitimate companies facing the wrath of multiple lawsuits. 

Mr. Stearns. And Mr. Friedberg, how do you feel about that, do 
you agree with Mr. Baker in that respect? 

Mr. Friedberg. I really can’t comment on private rights of ac- 
tion. That’s not my expertise. 

Mr. Stearns. Okay, anyone else? Mr. Schwartz? 

Mr. Schwartz. We’re usually in favor of private right of action 
in this type of case. It would depend on the definition though if it 
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is overly broad. We would have concerns about how that might be 
misused in the courts. But generally speaking, we would want to 
see private right of action in a privacy law that would move for- 
ward. 

Second, the Attorneys General, as well, that’s something in the 
Utah law that Attorney General, even the Attorney General in the 
State of Utah can’t act. That seems to us to be a concern as well. 
We want to see the Attorneys General have some power as well. 

Mr. Stearns. I would just say in passing to the Commissioner, 
we passed the Spam Act which prevents all this spam material 
coming into the computer and then we passed the Do Not Call List 
which was saying we didn’t want to have telemarketers come into 
our home. So if you follow the logic in both of these you’re vigor- 
ously implementing, if we’re trying to talk about e-mails and we’re 
talking about telemarketing, it seems to me then the Federal Trade 
Commission would welcome some kind of Federal legislation to pre- 
vent spyware. 

Does that seem logical? 

Mr. Thompson. I understand your point. As was said earlier, the 
devil is in the details. The Canned Spam Act is an interesting piece 
of legislation. It’s still a very significant challenge to get at the 
worst actors who are involved in spam for a number of different 
reasons, including the fact that most of the people who are the 
most egregious actors really don’t care about the law. And that’s 
where the real challenges rest. 

Let me say this too. I don’t want the Commission to be character- 
ized as being uncaring or inactive 

Mr. Stearns. No, I want to give you the last word here. Here’s 
your chance. 

Mr. Thompson. We brought the workshop to bring public atten- 
tion to this issue. We’re asking industry to self-regulate for one 
very important reason, we want them to begin to outline standards. 
That’s going to be instructive for us on this issue going forward no 
matter what, not only on talking to consumers about what’s good 
behavior and what’s bad behavior, but even in talking to us as law 
enforcers or talking to legislators about understanding where that 
line is. 

Right now, that discussion hasn’t really taken place and that’s 
one of the reasons why we’ve asked for the workshop to begin to 
outline the parameters of what this issue is about. 

Mr. Stearns. Thank you. My time is expired. The chairman of 
the full committee, the gentleman from Texas, Mr. Barton. 

Chairman Barton. Thank you. I want to ask Mr. Friedberg a 
question. Your responsibility at Windows is to monitor the privacy 
protection that is built into the base Windows program, is that 
right? 

Mr. Friedberg. Actually, the way I define my job is I would like 
to think that I make people feel better about using Windows by 
protecting their privacy, most notably by giving them notice and 
choice and appropriate control. 

Chairman Barton. Is it Microsoft’s assumption that the com- 
puter in a person’s home is that person’s private property? 

Mr. Friedberg. Their physical hardware, yes, I believe they li- 
cense the software from us. 
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Chairman Barton. Is it Windows’ position that access to that 
computer is the prerogative of the person who owns it in their 
home? 

Mr. Friedberg. A person should be able to control what goes on 
in their computer, sure. 

I don’t know,d id that answer your question? 

Chairman Barton. So if we wanted to postulate such a thing as 
computer trespass, just like if somebody walks through the phys- 
ical front door of my home without my permission, they’ve created 
a crime. They’ve trespassed. 

So if somebody comes into my computer without my permission 
and I chose to prosecute whoever came in to my computer, I could 
accuse of them criminal or computer trespass. Now I don’t know 
that there is — I’m not an attorney and this isn’t the Judiciary Com- 
mittee, but the concept of computer trespass. 

Mr. Schwartz. I was just going to add that the Computer Fraud 
and Abuse Act is partially aimed at that idea. If there is damages, 
certain kinds of damages, the Department of Justice is supposed to 
be able to go after companies that do trespass-caused damage on 
people’s computers. We haven’t seen them act in these kind of 
cases though. 

Chairman Barton. We’re kind of talking past each other. In my 
first round with Mr. Thompson, Commissioner Thompson and Di- 
rector Beales, they were talking about deceptive trade practices. I 
don’t consider it a deceptive trade practice when somebody violates 
my privacy. They’ve trespassed against me. 

We all seem to be in agreement that if it was a live person com- 
ing into our home, that wouldn’t be right unless we wanted them 
in our home. But when we talk about using the internet to come 
into our personal computers, then you get into this debate about 
if it’s fair or unfair and all the good things that theoretically hap- 
pen when people do come into our computers without us knowing 
about it. 

Well, I can have a debate that all day, but I want to ask the gen- 
tleman from Windows if this concept of computer trespass is some- 
thing that we can work with? 

Mr. Friedberg. From a personal perspective it makes intuitive 
sense to me. I very much believe in making sure there’s consent be- 
fore someone does something on your computer. 

Chairman Barton. Now I understand that the FTC doesn’t have 
criminal prosecution ability. You’re civil. You can fine people, but 
if we worked with the Judiciary Committee to define as a crime the 
concept of computer trespass. Commissioner Thompson, is that 
something that the FTC would be comfortable working with us to 
get the definition right? 

Mr. Thompson. We are always happy to work with the com- 
mittee. Let me just point out a challenge though. The trespass 
issue is an interesting issue. What I find more often the question 
is defining when you’ve actually invited people in and going further 
is when you’ve asked them to actually come into your kitchen be- 
cause you may have asked them to come in to your house, but you 
may not have asked them to walk around to places where you 
didn’t want them to walk around. 
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Chairman Barton. I understand that. And I from time to time 
on my personal computer in Inez, Texas have downloaded Windows 
software and I have downloaded game, videogame software from 
certain companies and I wanted that. Now if they put something 
on my computer when I downloaded what I wanted that I didn’t 
know about to track my behavior, I want to put a stop to that. 

If I open my door and there’s somebody from Amway outside the 
door wanting to sell me a product, I can make a decision and invite 
them in and buy the product or not buy the product. And even to 
this day and age, Inez, Texas is a small enough town that we do 
have some door to door salesmen and saleswomen still come by and 
I’m okay with that, so I want to apply that same concept of privacy, 
the physical front door, to the computer front door. And I want the 
Microsoft people to help us and I want the FTC people to help us 
and at a certain point in time, we want the Department of Justice 
to help us. 

If you all understand that, then we’re going to be okay. Nobody 
is trying to prevent a legitimate business entity from providing a 
product that is wanted to the end user in their home. We’re all, I 
think, trying to prevent the unwanted intrusion that is used for 
purposes that we have not approved and most of the time without 
our even knowing about it. That’s what we’re trying to prevent. 

Mr. Friedberg. We are very eager to work with anyone who is 
trying to address this problem. 

Chairman Barton. With that, Mr. Chairman, I’m overextended 
again and I’m going to yield back. 

Mr. Stearns I thank the chairman. 

Chairman Barton. Let me say one final thing. I don’t want any- 
body to be under the impression that this hearing is just a hearing 
and nothing is going to happen. We are going to move heaven and 
earth to work on a bipartisan basis to modify the Bono Bill and 
move it at subcommittee and at full committee and onto the floor 
and through the House and hopefully get a companion bill in the 
Senate and go to conference and get a conference report that’s 
passed by the House and the Senate this year. 

I’m not guaranteeing that that will happen, but that is the intent 
of this hearing to start the process, regular order to make that pos- 
sible. 

Mr. Stearns. I thank the chairman. The gentlelady from Cali- 
fornia. 

Ms. Bono. Thank you, Mr. Chairman, I kind of liked it up there 
in that big fancy chair, but I’m happy to be back here and to Chair- 
man Barton, also you forgot the best part of due process and that 
was where the President signs the bill, ultimately, so I’m looking 
forward to that day as well. 

Chairman Stearns has mentioned repeatedly, I believe, about 
what will become a patchwork of State laws and we’ve seen the 
Utah bill. There’s also a pending bill in State legislature of Cali- 
fornia that was introduced in February. Now as I understand the 
language, and what it does, they say it prohibits a person or entity 
conducting business in California from hijacking a user’s computer, 
from inhibiting the termination of a computer program and from 
surreptitious surveillance of a user’s computer in California. 
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I don’t know that that protects the California consumer, but I 
know that lends to the nightmare of patchwork of different State 
laws, so I think that further gives weight to what we’re trying to 
do here. 

I also want to point out that California was the first State to 
pass anti-spam legislation. 

Commissioner Thompson, I understand you opposed anti-spam 
legislation on the Federal level. Is that true or did you support 
anti-spam legislation? 

Mr. Thompson. I don’t believe I expressed opinion one way or 
the other. 

Ms. Bono. Okay, did the FTC oppose originally? 

Mr. Beales. The FTC at various points along the way did not 
recommend legislation. 

Ms. Bono. Okay, and are you using it now? 

Mr. Beales. Well, when canned spam passed, it was with the 
Commission’s support. We are announcing our first case is today. 

Ms. Bono. Great news. Hopefully that will be the same case 
here, that we’re going to turn you guys around too and we’ll be one 
big happy family. 

But on to Microsoft, you mentioned a problem with my bill and 
I wanted a one-step removal tool. As I understand it, with Kazaa 
or a real fun version of spyware, adware, I guess Bonzi Buddy. If 
you guys are parents, you know what I’m talking about, this cute 
little purple gorilla swings suddenly on your monitor, and kids love 
to download this little Bonzi Buddy. But to remove it is nearly im- 
possible, and when we’ve tried to remove little Bonzi Buddy, the 
purple gorilla, he somehow comes back. Is it that impossible? 
Microsoft, with all of these programs, especially Windows XP, why 
can’t we do one step removal tool? 

Mr. Friedberg. Well, actually, it largely due to the bad actor in 
this case. If they don’t provide that kind of functionality when they 
install the software, it’s going to be hard to figure out how to re- 
move it. 

I totally advocate the goal of trying to make things as easy for 
people to uninstall as possible. The only trick, again, the devil is 
in the details is that software is a complex kind of beast and 
there’s scenarios where it’s very hard, if not impossible, to remove 
parts of software without removing larger chunks of things. You 
can’t remove things, for example, that are already in use by other 
programs and certain things that might be for security, you might 
want to think twice about removing. 

Trying to get it right in codifying into law how an uninstall 
should work is what’s the challenge, not the intent of having con- 
trol over your system. Fully agree, we want to be able to get rid 
of stuff when we don’t want it. At a minimum, disable it, neutralize 
it and at best actually not having any remnants left over. It’s just 
kind of challenging to do it in all cases. 

Ms. Bono. It’s like those little .dll files, isn’t it? 

Mr. Friedberg. The problem is legitimate software has reason- 
able scenarios where uninstall is just not that easier. It’s the way 
software is. 

Ms. Bono. Well, it seems to me that if this law were passed, that 
when people installed this onto computers, they would just have to 
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come up with a way to do it, and it’s common sense to me if you 
instruct him to build a program that way that they could. If we 
don’t tell them to do it, they’re not going to do it. But is it your 
understanding to? Am I missing something on removing Bonzi 
Buddy and Kazaa? Are they sort of self-perpetuating? 

Mr. Friedberg. There’s this other kind of problem and some peo- 
ple call them tickler applications and stuff like that. They’ll actu- 
ally attempt to reinstall a piece of software after you’ve deleted it. 
I consider this very deceptive practice since it’s a covert install and 
hopefully there are laws already that sort of address this kind of 
behavior. 

Ms. Bono. How is that different than a virus? I understand how 
it’s different than a virus, but I’m hoping you’ll answer the ques- 
tion the way I want you to answer it. A virus we all see as detri- 
mental because it’s self-replicating and it passes from computer to 
computer without knowledge. But suddenly now because somehow 
you’ve downloaded this thing and it’s not self-replicating, just be- 
cause it’s passed on by a third party, in a sense it is a virus. I see 
it as a virus without the self-replicating tool, but it’s just as harm- 
ful as a virus is. 

Mr. Friedberg. Along those lines, when you look at a virus, peo- 
ple talk about viruses because of how they propagate, as you point 
out. And it’s the payload inside the virus that’s the issue. I mean 
some viruses might be benign in terms of how they actually do 
what they do. They may just count things or something, who 
knows? 

But it’s what the payload is doing and if someone is doing some- 
thing destructive on your machine, they should be punished, re- 
gardless of how it got there. 

Ms. Bono. Thank you. Can you briefly define for the sake of re- 
fining my legislation two points, why a cookie is not considered 
spyware? 

Mr. Friedberg. A cookie is just a simple data storage facility. It 
makes life easier for people who may surf the web in order to keep 
state. It’s not an active component and the way the web is set up, 
these cookies are only read by the websites that put them there. 
It’s their local storage to make life easier for you. 

It’s up to them, the site that you’re going to, to tell you what 
they’re going to do with the cookie and you now, if they’re going 
to track you or do some kind of behavior like that, it needs to be 
in their privacy statement. But cookies in themselves are not nec- 
essarily anything worse than a file. 

Ms. Bono. Thank you. Also, are there any type of spyware func- 
tions that are utilized in good ways for the enabling of e-mail or 
instant massaging? 

Mr. Friedberg. I just think of spyware using that term as some- 
thing that’s a negative. I would never consider something spyware 
as being a positive thing. The functions of spyware may have posi- 
tive elements. For example, tracking. I know I got to Amazon.com 
and I get suggestions for books I might want to read that are simi- 
lar to other books and I like that. I call that personalization when 
the tracking is done with my consent. I have control over it and 
it’s to my benefit. So tracking is not the problem. It’s unauthorized 
tracking or covert tracking which is spying. 
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I can’t imagine a time where that’s valid, except for mayhe some 
small examples, for example, as a parent, mayhe you want to track 
the behaviors of your children and you want to have the right to 
he able to put some kind of key logger to be able to see what 
they’re doing. If that’s okay by local law, then that should be per- 
mitted. Likewise an employer/employee relationship. If it’s allowed 
that you can monitor employee behavior, you’re going to use one of 
these tools that we talked about and that’s a valid, potentially legal 
use that makes sense. 

Ms. Bono. Actually, the bill clearly defines those two uses as 
fine. But also, I always think that’s sort of repetitious anyway be- 
cause the owner of the computer is generally the parent, first of all. 
So you’re installing it on your own property and I would think the 
same with an employer, but we do define those two in the bill. 

Mr. Chairman, I have gone over my time. I just really want to 
thank you for this hearing and thank our panelists. I really look 
forward to passing something that protects the American consumer 
and continues to broaden the American experience with computers. 

Mr. Stearns. I thank the gentlelady and we’ll conclude our hear- 
ing. 

Mr. Friedberg, I think you answered her question when the ques- 
tion was it’s not easy to take the spyware off your computer. If I 
went back to my computer without having a high tech person, I 
couldn’t do it, could I? 

Mr. Friedberg. Actually, what I recommend to people nowadays 
is to use a third party and a spyware tool. 

Mr. Stearns. You need a spyware tool, you need a third party 
and somebody needs to have technical expertise. 

Mr. Friedberg. As of today. 

Mr. Stearns. As of today. 

Mr. Friedberg. That’s the situation. These things are relatively 
new and people are just trying to catch up with the way that 
they’re doing what they’re doing. 

We would like to see longer term solutions that are more holistic, 
especially in the technology area because we have some control 
over that, that make it less likely that this can happen to you. 

Mr. Stearns. But I think it goes to the heart of what Ms. Bono 
has mentioned is, in the heart of the discussion today is that the 
average consumer cannot take these off themselves and second, 
they don’t even know they’re on the computer. 

Mr. Friedberg. I can’t take them off myself. 

Mr. Stearns. You can’t. 

Mr. Friedberg. I use a third party tool at this point. 

Mr. Stearns. Okay. 

Mr. Friedberg. And I’m looking for relief as well. 

Mr. Stearns. I’ll just conclude by saying that I think spyware is 
not just at our gates, but through the gate, through the door of our 
homes and now in our computers with full spying privileges and I 
think this hearing has brought a lot of information to the forefront 
and helps obviously all of us as legislators to think this through 
and try to come up with legislation which is balanced and I want 
to thank all of you for your time and your patience. With that, the 
subcommittee is adjourned. 

[Whereupon, at 12:22 p.m., the hearing was concluded.] 
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[Additional materal submitted for the record follows:] 

Prepared Statement of Roger Thompson, Vice President of Product 
Development, PestPatrol, Inc. 

Mr. Chairman and Members of the Subcommittee, thank you for the opportunity 
to submit comments on the important issue of spyware and its threats to the secu- 
rity and privacy of consumers and businesses. 

Before I offer an assessment of the situation and possible actions to address it, 
let me provide a brief overview of my company. PestPatrol was founded in May 2000 
by a team of security software professionals to counter the growing threat of mali- 
cious non-viral software. We are the leading provider of anti-spyware software to 
consumers. Our database of malicious code — what we call “pests” — is the most ex- 
tensive in the industry and serves as the basis for many of the research results 
about which we read in the press. 

Definition Debate 

No one debates that spyware is becoming a relentless onslaught from those seek- 
ing to capture and use private information for their own ends. However, there con- 
tinues to be much debate about what constitutes sp3rware. 

While that debate is an important one in terms of possible remedies, we can count 
the cost that unfettered spyware is having on individual users as well as on cor- 
porate networks. Regardless of whether we agree to divide the term spyware into 
various subsets such as adware or malware, the truth is that any software applica- 
tion, if it is downloaded unknowingly or unwittingly, and without full explanation, 
is unacceptable and unwelcome. 

At PestPatrol we define spyware as any software that is intended to aid an unau- 
thorized person or entity in causing a computer, without the knowledge of the com- 
puter’s user or owner, to divulge private information. This definition applies to le- 
gitimate business as much as to malicious code writers and hackers who are taking 
advantage of spyware to break into users’ PCs. 

Spyware Dangers Real and Extensive 

The dangers of spyware are not always known and are almost never obvious. Usu- 
ally, you know when you have a virus or worm — these problems are “in your face”. 
Spyware silently installs itself on a PC, where it might start to take any number 
of different and unwanted actions, including: 

• “Phoning home” information about you, your computer and your surfing habits to 

a third party to use to spam you or push pop-up ads to your screen 

• Open up your computer to a remote attacker using a RAT — a Remote Access Tro- 

jan — to remotely control your computer 

• Capture every keystroke you type — private or confidential emails, passwords, 

bank account information — and report it back to a thief or blackmailer 

• Allow your computer to be hijacked and used to attack a third party’s computers 

in a denial-of-service attack that can cost companies millions and make you lia- 
ble for damages 

• Probe your system for vulnerabilities that can enable a hacker to steal files or 

otherwise exploit your system. 

The newest threat is that of large numbers of captured personal computers mobi- 
lized into “Bot Armies” and used to launch highly organized Distributed Denial of 
Service (DDoS) attacks aimed at disrupting major business or government activity. 
Individual PC users are never aware that their machine is being used to disrupt 
internet traffic. There is currently little or no recourse to a legal solution even if 
the occurrence can be monitored. 

Many PC users have unwittingly loaded, or unknowingly had spyware downloaded 
onto their computers. This happens when a user clicks “yes” in response to a 
lengthy and often extremely technical or legalistic end user licensing agreement. Or 
it happens when a user simply surfs the web, where self-activating code is simply 
dropped onto their machines in what is known as a “drive-by-download.” 

Spyware Harms Computer Performanee 

The misuse of technology and hijacking of spyware is a real and present danger 
to security and privacy. TJnfortunately, the ill effects of spyware do not stop there. 
Spyware seriously degrades computer performance and productivity. 

Testing earlier this month at the PestPatrol research laboratory revealed that the 
addition of just one adware pest slowed a computer’s boot time — the amount of time 
it took to start up and function — by 3.5 times. Instead of just under 2 minutes to 
perform this operation, it took the infected PC close to 7 minutes. Multiply that by 
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a large number of PCs and you have a huge productivity sink hole. Add another 
pest and the slow-down doubles again. 

We also tested web page access, and again it took much longer once a pest was 
added to a clean machine. Almost five times longer in fact for a web page to load 
on an infected PC. The pest also caused 3 web sites to be accessed, rather than the 
one requested, and caused the PC to transmit and receive much greater amounts 
of unknown data — 889 bytes transmitted compared to 281 transmitted from the 
clean machine, and 3086 bytes received compared to 1419 bytes received by the 
clean machine. This translates into significant increases in bandwidth utilization. 
Managing bandwidth costs money. 

Increased costs due to unnecessary consumption of bandwidth on 

individual PCs, and the necessary labor cost in rebuilding systems to ensure they 
are no longer corrupt is virtually unquantifiable. It’s likely quite large. System deg- 
radation is time consuming for the individual PC user and even more so for network 
administrators managing corporate networks. Even new PCs straight from the fac- 
tory come loaded with thousands of pieces of spyware, all busy “phoning-home” in- 
formation about the user and slowing down computing speeds. 

Users do not invite this spyware onto their machines and should not have to live 
with it. Clearly this level of infestation is stepping beyond the bounds of what is 
fair and reasonable. 

Solutions 

On the basis of our extensive work in this area, we at PestPatrol believe only a 
combination of consumer education and protection, disclosure through legislation, 
and active prosecution will provide the answer needed to address the spyware 
threat. None of these solutions by themselves is enough. While we advocate and ap- 
plaud industry self-regulation, we do not believe that it alone will be speedy or dra- 
matic enough to address the spyware problem. 

The first line of defense is education and protection. Any individual or business 
connected to the Internet today has to realize they are part of a complex network 
that is inextricably intertwined. Creators of spyware take advantage of that fact, 
plus the knowledge that most PC users are not sophisticated technologists. As an 
industry, we have begun to make computer users aware of the spyware threat by 
the creation of and active outreach by several groups and organizations. PestPatrol 
is a founding member of the Consortium of Anti-Spyware Technology, or COAST, 
a non-profit organization of anti-spyware companies and software developers com- 
mitted to best practices. 

Consumer education about spyware and promotion of comprehensive anti-spyware 
software aimed at detecting and removing unwanted pests is fundamental to our 
outreach. Our efforts are modeled after the decade-long effort by anti-virus software 
companies to raise awareness about virus threats. However, we also acknowledge 
that consumers, precisely because of the insidious nature of sp3rware, can only do 
so much to protect themselves, and cannot be alone responsible for controlling the 
spread of spyware. 

Which brings us to the second line of defense — disclosure legislation. All applica- 
tions, including those that are bundled and downloaded along with free software 
and with legitimate commercial applications, should be readily identifiable by users 
prior to installation and made easy to remove or uninstall. It is this transparent 
disclosure, and the ability of consumers to decide what does and does not reside on 
their systems, that needs to be legislated. Consumers should have the ability to 
make fully informed decisions about what they choose to download onto their ma- 
chines, while understanding the implications of doing so. 

The third line of defense is aggressive prosecution. The deceptive practices em- 
ployed by many spyware developers are already illegal under existing laws against 
consumer fraud and identity theft. Law enforcement agencies at the federal and 
state level should be encouraged to more aggressively pursue and prosecute those 
who clandestinely use spyware to disrupt service, steal data or engage in other ille- 
gal activity. A greater focus on spyware and the necessary allocation of resources 
to pursue this criminal activity is vital. 

Spyware is a significant threat to the effective functioning and continued growth 
of the Internet. It is more than a nuisance. Given the dangers it represents, it is 
important that consumers, business and government work together to address the 
issue and safeguard the productivity and utility of the Internet computing environ- 
ment. 

I sincerely appreciate the opportunity to present my company’s ideas on how to 
achieve this goal. Thank you. 
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Prepared Statement of Webroot Software, Inc. 

Webroot Software, Inc. appreciates the opportunity to provide written comments 
in conjunction with the Subcommittee’s hearing on spyware. The hearing title is 
most appropriate. Spyware presents a serious problem for both the public and busi- 
nesses, yet there is still minimum awareness about the significant risks associated 
with the rapid growth of spyware. 

Experts at Fighting Spyware 

Webroot Software, Inc., was founded in 1997 to provide computer users with pri- 
vacy, protection and peace of mind. Today, Webroot provides solutions and services 
for millions of users around the world, ranging from enterprises, Internet service 
providers, government agencies and higher education institutions, to small busi- 
nesses and individuals. 

Among its award winning products is Spy Sweeper, winner of PC Magazine’s 2004 
Editors’ Choice award. The magazine’s objective review of 14 spyware detection 
products found: “Spy Sweeper is the most effective standalone tool for detecting, re- 
moving and blocking spyware.” In the April 5 issue of Business Week, Stephen 
Wildstrom, author of the “Technology and You” column also recommended Spy 
Sweeper, referring to Webroot as the “established leader” in the market. 

Webroot’s world headquarters is located in Boulder, Colorado, with a European 
headquarters in Frankfurt, Germany, and sales offices in Chicago, London, Amster- 
dam, and Paris. Webroot products are sold online at www.webroot.com, and at lead- 
ing retailers around the world, including Best Buy, CompUSA, Circuit City, Fry’s, 
Staples and MicroCenter. In addition, Webroot provides a full suite of privacy and 
security solutions designed to help ISPs like Earthlink provide value-added products 
and services to their customers. 

Every day, Webroot employees talk to computer users in the U.S. and Europe who 
are being negatively impacted by spyware that has found its way onto their com- 
puters. Webroot is on the front lines fighting spyware, but Congress and the Federal 
Trade Commission (FTC) have critical roles to play on this issue to increase public 
awareness, develop and reinforce clear rules, and actively enforce the law. 

Defining Spyware 

In 2003, Webroot helped to found the Consortium of Anti-Spyware Technology 
vendors (COAST), a non-profit organization established to facilitate collaboration 
among spyware detectors and increase awareness of the growing spyware problem. 

COAST defines spyware as: Any software program that aids in gathering in- 
formation about a person or organization without their knowledge, and 
can relay this information back to an unauthorized third party. 

“Without your knowledge” and “to an unauthorized third party” are key compo- 
nents of this definition. The FTC recently held a workshop on spyware, which they 
appropriately titled: “Computer Monitoring Software on Your PC: Spyware, Adware, 
and Other Software.” As the problem of sp 3 rware has grown, a slew of new words 
have surfaced. For informational purposes, we have attached as an appendix the 
glossary of sp 3 rware-related terms developed by COAST. 

From a pure technology point of view, there is little difference between computer 
monitoring programs that serve legitimate purposes and those that put your privacy 
and personal information at serious risk. For example, a keylogger program like 
ChildSafe, a Webroot product, provides parents with the ability to monitor their 
childrens’ online activities by tracking what the child types on the keyboard. A func- 
tionally similar keylogger program installed without permission by JuJu Jioang on 
computers in at least 15 Kinkos stores provided him with personal information 
about over 400 people, which he used to open back accounts and commit other ille- 
gal activities. Fortunately, that was one case that the government successfully in- 
vestigated and prosecuted, but there are many more cases where the perpetrators 
are not yet identified, or even worse, where the victims do not even know they are 
victims. 

Thus, there is not a technological definition for spyware. The definition is contex- 
tual — how the program came to reside on your computer is a threshold question to 
defining it as spjuvare. 

The Anatomy of Spyware 

There are many kinds of programs that fit within this definition of spyware. The 
COAST glossary attached as an appendix provides a more complete list, but there 
are four most common forms of spyware. 

Back Door Trojans are malicious programs that appear as harmless or desirable 
programs. Back Door Trojans deploy remote access tools, allowing hackers to gain 
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unrestricted access to a user’s computer. Trojans can be deployed as email attach- 
ments, or bundled with another software program. 

Keyloggers are programs that can monitor and record the user’s every keystroke. 
Key loggers can be used to gather sensitive data such as username and password, 
private communications, credit card numbers, etc. 

System Monitors are applications designed to monitor computer activity. These 
programs can capture everything that is done on a computer. Information can be 
received at the computer, through remote access, or scheduled emails. 

Adware is advertising supported software that displays pop-up advertisements 
whenever the program is running. Once installed, these programs will download and 
install new software and data files — advertisements, etc. — based on user activities 
such as websites visits. 

Unlike a virus that many users get in the same way at the same time, spyware 
finds its way onto your computer through multiple channels at multiple times. 
Spyware may arrive bundled with freeware or shareware, through peer-to-peer 
downloads, attached to or embedded in email or instant messenger communications, 
as an ActiveX installation, or it may be placed on your computer accidentally or de- 
liberately by someone with access to it. Once on your system, spyware secretly in- 
stalls itself and goes to work. 

Anti-virus software does not offer protection from spyware because spjrware is not 
viral. Since it attaches itself to legitimate downloads, sp 3 rware can often pass easily 
through firewalls unchallenged. And by intertwining itself with files essential to sys- 
tem operation, spyware cannot be safely removed by simply deleting files with a sys- 
tem-cleaning tool. 

In its most benign form, spyware can significantly slow systems down and result 
in more pop-up ads than usual. The more malicious spyware programs can lead to 
identity theft, theft of intellectual and other property, and data corruption. Unlike 
personalization or session cookies, spyware is difficult to detect, and difficult (if not 
impossible) for the average user to remove manually. 

Some of the types of information collected by sp 3 rware programs without the 
knowledge of the computer owner are: 

• Usernames and Passwords 

• Electronic Assets 

• Browsing Habits 

• Applications Used 

• Personal Information 

• Email & IM Conversations 

• IP and Trade Secrets 

• Financial Records 

• Customer Databases 

Spyware can execute unwanted, unauthorized, and/or inappropriate code and use 
vital system resources. Spyware programs can be used to facilitate the unauthorized 
use of your machine for things like: 

• Email Forwarding to Send Spam 

• Background Computing 

• Hacker Attacks 

While some argue that spyware is installed with the user’s knowledge (although 
the user may not understand exactly what s/he has done), most of the time it is 
installed surreptitiously as part of another program installation. Even if the bun- 
dling of software and information tracking practices are disclosed to the consumer 
through the End User License Agreement (EULA), such disclosures are rarely clear 
and conspicuous. Even when they exist, notices often fail to provide users with a 
real understanding of what information will be collected and how the entity col- 
lecting the information will use it. 

A Real and Growing Problem 

Earthlink and Webroot collaborated in the first quarter of 2004 to offer a free 
SpyAudit to Earthlink subscribers. On April 15, 2004 the companies jointly released 
the findings for January 1, 2004 through March 31, 2004. During that timeframe, 
1,062,756 spyware scans were run, identifying a total of 29,540,618 instances of 
sp 3 rware, meaning roughly 28 instances of spyware per PC. (Df particular concern, 
were the large number of System Monitors and Trojans found which accounted for 
369,478 of all the spyware instances found. 

Expert reports have estimated that 9 out of 10 PCs in the United States are in- 
fected with spyware. Studies have often showed that spyware is growing at a much 
faster rate than computer viruses. 
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Responding to Spyware 

The unfortunate reality is that there is probably no way to completely eradicate 
sp 3 rware. The Internet is global, which makes establishing and enforcing legal 
standards challenging. There are also significant economic drivers that make the 
creation and dissemination of spyware very appealing to many people, both in the 
U.S. and abroad. The combination of a profit-driven motivation, coupled with the 
vulnerability of personal information, makes spyware unique and more threatening 
than many other online security and privacy concerns, like viruses and spam, which 
the government has addressed in the past several years. 

It is clearly going to take a combination of technology, public education, sound 
public policy and strong enforcement to address this problem. To that end, we ap- 
plaud the efforts of Congresswoman Bono, Congressman Towns, Senators Burns, 
Boxer and Wyden and the FTC to call attention to the serious negative impacts that 
sp 3 rware can have on the public and the economy. Increased awareness and edu- 
cation about sp 3 rware is essential to effectively deal with the problem. 

Certainly, regulating technology-related issues is inherently tricky, but this is not 
an issue that will go away by itself, and industry self-regulation is unlikely to ade- 
quately address the issue in a reasonable time frame. Congress has an opportunity 
to address this issue before it becomes debilitating. H.R. 2929 and S. 2146 offer al- 
ternative approaches, both with good qualities. We urge that this issue not be set 
aside to resolve itself — because it won’t. We are on the front lines of this arms race, 
and we need reinforcement in the form of clear rules related to spyware to help us 
effectively fight for businesses and consumers who need to retain control over their 
PCs. 

We appreciate the opportunity to share our views with the Subcommittee. 

Glossary of Spyware Related Terms Developed by the Consortium of Anti- 
Spyware Technology Vendors 

Adware: Often used as a term for spyware, it is preferred and used by makers 
of software that include ad-serving mechanisms. Adware is advertising-supported 
software that displays pop-up advertisements whenever the program is running. 

Browser Helper Object (BHO): A small program that runs automatically every 
time an Internet browser is launched. Generally, a BHO is placed on the system 
by another software program and is typically installed by toolbar accessories. They 
can track usage data and collect any information displayed on the Internet. 

Bundled: An arrangement in which one or more software programs are included 
with another program, for technical reasons or because of a business partnership. 
Many instances of spyware installations come through bundling. 

Cookie: A mechanism for storing a user’s information — such as login information 
and passwords, or a user’s previous activity on a site — on a local drive. 

Dialers: Dialers are software that, once downloaded, disconnects the user from 
his or her modem’s usual Internet service provider, connect to another phone num- 
ber, and the user is then billed. 

Drive-by Download: While not a piece of spyware itself, this misleading dia- 
logue box serves as a gateway for the stealth installation of spyware applications. 
In some cases, spyware can be installed even if the user does not choose the “yes” 
or “accept” button. 

File-sharing programs: These are software applications that allow the exchange 
of files (especially music, games, and video) over a public or private network. See 
Peer-to-Peer. 

Freeware: Software that can be downloaded and shared at no cost. 

Hijacker: Hijackers typically come in two categories, Browser/Page Hijackers 
and System Hijackers: 

Browser/Page Hijackers: Applications that attempt to take control over a user’s 
home page or desktop icons, resetting them to a pre-determined website des- 
tination. 

System Hijacker: Software that uses the host computer’s resources to proliferate 
itself or use the system as a resource for other activities. This taxes the host 
computer’s resources, negatively affecting computer and Internet speeds. 

KeyLoggers — See System Monitors. 

Opt-in: An online process by which a user chooses to receive information (such 
as e-mail newsletters) or software, often by checking a check box on a Web page 
or software installation screen. 

Opt-out: An online process (such as un-checking a pre-checked box) by which a 
user actively chooses not to receive information, such as e-mail newsletters or soft- 
ware. Actively opting out will prevent a user’s information from being a shared with 
businesses. 
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Users should be warned that most “opt-out” options are actually a scam that 
serves to confirm legitimate/active email addresses. Privacy experts recommend that 
users do not use the “opt-out” option unless they are personally familiar with the 
company where the email originated. 

Parasite: A parasite is unsolicited commercial software or programs installed on 
a computer for profit without the consent or knowledge of the user. 

Parasiteware: Parasiteware is the term for any Adware that by default over- 
writes affiliate-tracking links. This behavior is viewed as parasitic because this soft- 
ware diverts affiliate commissions and credits the affiliate’s income to another 
party. To the end user, Parasiteware is not a serious security threat. See Thiefware. 

Peer-to-peer (P2P): A method of file sharing over a network in which individual 
computers are linked via the Internet or a private network to share programs/files, 
often illegally. Users download files directly from other users’ computers, rather 
than from a central server. 

Many P2P programs bundle third-party advertising programs, and are currently 
the second largest source of virus, Trojan and data mining infections. 

Remote Administration Tools/ RATs: Some Trojans, called RATs (Remote Ad- 
ministration Tools), allow an attacker to gain unrestricted access of a computer 
whenever the user is online. The attacker can perform activities such as file trans- 
fers, adding/deleting files, and controlling the mouse and keyboard. 

Seumware: A slang term for spyware or any unwanted software/programs in- 
stalled on your computer. 

Shareware: Software that is distributed — usually via the Internet and or CD- 
Rom — for free and on a trial basis. 

System Monitors/Keyloggers: These applications are designed to monitor com- 
puter activity to various degrees. They can capture virtually everything a user does 
on his or her computer, including recording all keystrokes, emails, chat room con- 
versations, web sites visited, and programs run. 

Thiefware: Thiefware applications steal affiliate commissions by either over- 
writing tracking cookies or spawning new windows to redirect traffic from search 
engine ke 3 rwords or other websites. This practice, while not currently illegal, is con- 
sidered unethical among those in the merchant/affiliate community. See 
Parasiteware. 

Tracking Cookies: Not to be confused with personalization cookies (which allow 
users to customize pages and remember passwords), some web sites now issue track- 
ing cookies. Tracking cookies allow multiple web sites to store and access records 
that may contain personal information (including surfing habits, user names and 
passwords, areas of interest, etc.), and subsequently share this information with 
other web sites and marketing firms. 

Trojan Horses: Trojans are malicious programs that appear as harmless or de- 
sirable applications. Trojans are designed to be actively harmful to PCs by inten- 
tionally damaging PC operating systems, other software or hard drives. Trojans are 
generally distributed as email attachments or bundled with another software pro- 
gram (often fraudulent versions of legitimate software). 

Weh bugs: A file, usually a small or invisible graphic image, that is placed on 
a Web page or in e-mail to allow a third party to monitor user behavior. 


Downloading Shared Files Threatens Security 
by Sgt. 1st Class Eric Hortin 

FORT HUACHUCA, Ariz. (Army News Service, April 22, 2004) — People spend 
hours in front of their computer screen, downloading music or new movies from the 
Internet, and not paying a cent, the Army considers such action on government com- 
puters to be a security threat. 

One program that is used to downloaded files is Peer-to-Peer (P2P) architecture. 
It is a type of network in which each workstation has the capability to function as 
both a client and a server. It allows any computer running specific applications to 
share files and access devices with any other computer running on the same net- 
work without the need for a separate server. Most P2P applications allow the user 
to configure the sharing of specific directories, drives or devices. 

In a white paper written by the Army’s Computer Network Operations Intel- 
ligence section, unauthorized P2P applications on government systems, “represent 
a threat to network security.” 

“The idea of someone else getting unfettered access to an 3 dhing of yours without 
your explicit consent should scare anybody — and that’s exactly what P2P author- 
izes,” says Zina Justiniano, an intelligence analyst with the U.S. Army Network En- 
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terprise Technology Command’s (NETCOM) Intelligence Division, G2. “P2P is 
freeware. Freeware, shareware — most of the stuff that you pay nothing for, has a 
high price. The fact that it’s free says that anybody and their cousin can get it; that 
means that anybody and their cousin can get to your machine.” P2P applications 
are configured to use specific ports to communicate within the file sharing “net- 
work,” sometimes sidestepping firewalls. This circumvention creates a compromise 
and potential vulnerabilities in the network that, in a worse case scenario, can lead 
to network intrusions, data compromise, or the introduction of illegal material and 
pornography. There is also the issue of bandwidth. Since the start of the global war 
on terrorism, the most pressing issue from service members in the field has been 
the shortage of bandwidth to transmit battlefield intelligence to combatant com- 
manders. The average four-minute song converted into an audio file recorded at 128- 
bit, can be upwards of 5 megab 3 d;es. Full-length video MPEG files can easily reach 
1.6 gigabytes. Depending on the connection speed, even a small file may take sev- 
eral minutes to hours to download, using valuable bandwidth. Unauthorized use of 
P2P applications account for significant bandwidth consumption. It limits the band- 
width required for official business, and storage capacity on government systems. 
While those who monitor the Army networks agree that copyright infringement is 
a valid issue, they do have other, more important concerns. 

There are several known Trojan horses, worms and viruses that use commercial 
P2P networks to spread and create more opportunities for hackers to attack sys- 
tems. Trojan horse applications record information and transmit it to an outside 
source. They can also install “backdoors” on operating systems, transmit credit card 
numbers and passwords — making these malicious programs a favorite of hackers. 
Some of the malicious codes allow hackers to snoop for passwords, disables antivirus 
and firewall software, and links the infected system to P2P networks to send large 
amounts of information (spam) using vulnerabilities in Windows operating systems. 

“If it’s a really good Trojan horse, it will actually run two programs; it will run 
the program they said they were going to run, so they will not only download it, 
but they will install it and be very happy that it’s there,” Justiniano said. “Mean- 
while in the background, another program is doing malicious damage to the com- 
puter by either damaging files or possibly taking files off the computer without your 
knowledge. If it’s a really nice program that runs well, (the user) will pass that file 
over to someone else because they really got their money’s worth out of it. People 
will just keep passing it along.” 

Trojan horses are not the cause of all security issues. Oftentimes, “spyware” appli- 
cations are installed with the users consent; it’s buried in the really long agreement 
that nobody reads that a user must click, “I Accept,” in order to begin the installa- 
tion. This is especially true with free-ware applications downloaded from the Inter- 
net. According to published reports, a couple of years ago, some P2P applications 
came packaged with a spyware application that acted as a Trojan horse. This spe- 
cific program sent information to an online lottery server. 

Those are just a couple of reasons the Army doesn’t want its people loading P2P 
on their systems, and enacted regulations prohibiting loading those applications. 

The Army’s regulation on Information Assurance, Army Regulation 25-2, specifi- 
cally prohibits certain activities; sharing files by means of P2P applications being 
one of them. There are some, however, who have P2P applications on their Army 
systems and use them despite the prohibition of such activities. 

Over a two-month period at the end of last year, government organizations identi- 
fied more than 420 suspected P2P sessions on Army systems in more than 30 loca- 
tions around the globe. 

It seems some don’t understand or haven’t read the standard Department of De- 
fense warning that says, “Use of this DOD computer system, authorized or unau- 
thorized, constitutes consent to monitoring.” For those who think, “How are they 
going to know it’s me? I’m just one person in a network of hundreds of thousands,” 
don’t be surprised when network access is cut off and the brigade commander is 
calling. 

It is the role of the Theater Network Operations and Security Center, located in 
Fort Huachuca, Ariz., to monitor and defend its portion of the Army network. This 
includes identifying potential security risks to the network, and unauthorized P2P 
applications, which create a considerable risk to those networks. 

“People shouldn’t assume they are using P2P applications in secrecy,” said Ronald 
Stewart, deputy director of the C-TNOSC. “We are able to detect use of P2P, and 
when we do, we take measures. We can detect and identify systems with P2P soft- 
ware on them; and when we find them, we direct the removal of the software from 
the system through the command chain.” 

Some Soldiers try to work around the Army networks to feed their P2P habits. 
Lt. Col. Roberto Andujar, director of the C-TNOSC, says using the Terminal Server 
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Access Controller System (TSACS) to dial into the military network is not a work- 
around, because there are tools in place to identify P2P traffic. 

Methods commonly used by commercial industry, such as Internet Protocol (IP) 
address and port blocking, random monitoring, and configuring routers are some of 
the methods the C-TNOSfl and installations take to prevent P2P access. There are 
other methods used, but specific examples cannot be discussed. 

Commanders who unwittingly allow P2P to run unchecked on their networks are 
not exempt from liability. Commanders may be held personally liable for any illegal 
possession, storage, copying, or distribution of copyrighted materials that occurs on 
their networks. Soldiers, civilian employees and contractors face even tougher pen- 
alties. 

People using P2P on government computers can to look forward to other possibly 
harsher punishments depending on the kinds of files the users are sharing. 

“Say you have a Soldier downloading music through P2P, in violation of copyright 
rules,” said Tom King, a legal adviser with NETCOM. “The people who own the 
copyright can actually sue that Soldier. Then you have the issue that he’s violating 
a lawful order. Then you have the issue that it’s a misuse of government time and 
misuse of a government resource. He can be in a world of hurt. Then he’s also ex- 
posing the Army network to hacking attacks.” 

“Prosecutions are on the rise. Discipline is on the rise. People are taking this stuff 
more and more seriously all the time,” King said. “People just don’t understand that 
there’s a price to be paid for this.” 

Not understanding seems to be the main reason P2P applications keep showing 
up on Army computer systems. 

“User education is one of the keys,” said Kathy Buonocore, chief of the Regional 
Computer Emergency Response Team. “Some users don’t know it’s illegal.” 

“When I call some commanders and tell them, they say, ‘What’s P2P?’” Andujar 
said. “Commanders have to be educated and take action.” 

Education has to extend down to the organization administrators. Justiniano says 
those who have administrator privileges on government computer systems are the 
ones loading the unauthorized programs. To prevent this, system and network ad- 
ministrators should configure systems correctly, so users cannot install unauthor- 
ized software. 

“There are very few benefits that are not addressed somewhere else, that do not 
include the risk of P2P software,” Justiniano said, adding that the use of Army 
Knowledge Online knowledge centers and secure File Transfer Protocol sites are 
their preferred method of file sharing. 

(Editor’s note: Sgt. 1st Class Eric Hortin is a journalist for the U.S. Army Net- 
work Enterprise Technology Command.) 
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